Nissan has revealed that over 53,000 of its North America employees have had their personal data breached following a ransomware attack on its systems in late 2023.
The information accessed by the threat actor are employees’ names or other personal identifiers in combination with their social security numbers.
The Japanese-based car manufacturer made the disclosure in a data breach notification filed to the Office of the Maine Attorney General on May 15, 2024.
How the Nissan Data Breach Occurred
The notification explained that Nissan North America (NNA) became aware of a targeted attack against its external VPN when a ransomware actor shut down some of its systems and demanded a ransom payment.
The firm said it successfully remediated the attack in conjunction with external cybersecurity professionals, and law enforcement were notified of the incident.
Nissan then informed employees of the attack in a Town Hall meeting on December 5, 2023, and the possibility that certain employee personal information could have been accessed.
NNA subsequently discovered that the attacker had accessed data from a number of its local and network shares, but did not encrypt any data or render any of NNA’s systems inoperable.
On February 28, 2024, it was found that this data included personal information relating to 53,038 current and former NNA employees, including their social security numbers.
No employee financial data was accessed in the attack.
Nissan has not said whether it paid a ransom to the attackers.
In a letter sent to all impacted employees, Nissan expressed its “regret” for the data breach.
“Nissan values our employees’ privacy and deeply regrets that this incident occurred. Nissan has made further enhancements to our systems, security, and practices. We have engaged appropriate cybersecurity experts to assist us in conducting a review of our security practices and systems to ensure that enhanced security protocols are in place going forward to reduce the risk of this type of incident occurring in the future,” the company stated.
These new security measures include an enterprise-wide password reset, implementation of Carbon Black monitoring on all compatible systems and vulnerability scans.
In March 2024, Nissan Oceania revealed that approximately 100,000 customers, dealers and employees’ data were affected a cyber incident that affected its local businesses. This followed a threat actor gaining access to the firm’s local IT servers.
How the Breach Affects Nissan Employees
There is currently no indication that any of the accessed information has been misused or was the intended target of the attackers.
However, there is the potential for malicious actors to use the stolen information for identity theft and follow-up social engineering attacks on NNA employees.
Nissan is offering staff a complimentary credit monitoring services to help identify and resolve any cases of identity theft.
It is also providing proactive fraud assistance to help with any questions that affected individuals might have or in the event that they become a victim of fraud.
Why Did the Attackers Not Encrypt the Data?
Experts discussed the fact that threat actors did not encrypt any data in NNA’s network after gaining access, contrary the tactics employed in traditional ransomware attacks.
Darren Guccione, CEO and Co-Founder at Keeper Security, noted that a targeted ransomware could mean that malware was installed that could be triggered remotely to disrupt systems or disclose sensitive information if a ransom is not paid.
“If there was a threat to shut down systems, the threat actor could act on the threat through exploiting vulnerabilities or simply orchestrating a DDoS attack against critical network infrastructure,” he explained.
Narayana Pappu, CEO at Zendata, said that this approach may have been used to avoid detection that the encryption process would trigger and/or believed the systems could be restored quickly.
“This is a fairly common tactic that we have seen used in Maze, NetWalker, and Clop ransomwares. The main leverage the attacker has on the company in this incident is the threat to release the data to public forums,” he said.
Another explanation is that Nissan were able to interrupt the attackers before they were able to fully encrypt systems and demand a ransom in return for the decryption key.
Image credit: Jonathan Weiss / Shutterstock.com