Nissan North America data breach caused by vendor-exposed database

6

Nissan North America has begun sending data breach notifications informing customers of a breach at a third-party service provider that exposed customer information.

The security incident was reported to the Office of the Maine Attorney General on Monday, January 16, 2023, where Nissan disclosed that 17,998 customers were affected by the breach.

In the notification sample, Nissan claims it received notice of a data breach from one of its software development vendors on June 21, 2022.

The third party had received customer data from Nissan to use in developing and testing software solutions for the automaker, which was inadvertently exposed due to a poorly configured database.

Upon learning of the security incident, Nissan ensured the exposed database had been secured and launched an internal investigation. On September 26, 2022, it verified that an unauthorized person had likely accessed the data.

“During our investigation, on September 26, 2022, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers,” reads the notice.

“Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.”

The exposed data includes full names, dates of birth, and NMAC account numbers (Nissan finance account). In addition, the notice clarifies that the exposed information did not include credit card details or Social Security numbers.

Nissan says that to this date, it has seen no evidence that any of this information has been misused and is sending out the notices out of an abundance of caution.

Additionally, all recipients of the breach notices will be offered a one-year membership of identity protection services through Experian.

Past problems

In January 2021, Nissan North America experienced a similar incident, leaving a Git server exposed online with default access credentials, resulting in several repositories of the firm becoming public.

This incident led to the leak of 20 GB of data, including mobile apps and internal tools source code, market research and client acquisition data, diagnostics, and NissanConnect services details.

More recently, in October 2022, Toyota experienced a similar data security incident in which the personal information of 296,019 customers was exposed.

The incident occurred because a GitHub repository containing access keys to the company’s databases was left open to public access for five years.

Also, Nissan, and other car companies, were shown to follow poor API security practices on their mobile apps and online portals, potentially leading to account takeovers and sensitive information exposure.

Source Bleeping Computer