One of Japan’s leading carmakers has revealed a third-party data breach impacting 21,000 customers.
Nissan said that the breach stemmed from a compromise at Red Hat in September.
“Nissan Motor Co received a report from Red Hat, the company it had contracted to develop a customer management system for its dealerships, that the company’s data server had been accessed illegally and data had been leaked,” the statement explained.
“It was subsequently confirmed that the data leaked from the company included some customer information for Nissan Fukuoka Sales Co.”
Nissan said it received a notification from Red Hat on October 3 and immediately informed domestic regulator, the Personal Information Protection Commission. It is also in the process of contacting individual customers who have been affected.
The stolen information includes names, addresses, phone numbers, partial email addresses and “other customer-related information used for sales activities,” but not card details, the carmaker confirmed.
“At this time, there has been no confirmation that the leaked information has been used for secondary purposes. However, we ask that you be extremely cautious of any suspicious phone calls or mail you receive,” it added.
“Furthermore, the servers used by Red Hat do not store any customer information other than the data that was leaked this time, so there is no risk of further data leaks.”
Red Hat in the Crosshairs
An extortion group dubbed “Crimson Collective” claimed the attack on Red Hat’s private GitLab repositories, stealing nearly 570GB of data across 28,000 internal projects. This reportedly included around 800 Customer Engagement Reports (CERs) detailing customer networks and platforms.
Targeting Red Hat’s consulting business, the threat actors found authentication tokens, full database URIs and other sensitive information in Red Hat code and CERs, which they used to access customer infrastructure.
A list of the allegedly compromised CERs dating back to 2020 and posted by the group on Telegram included big-name brands such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the US Navy’s Naval Surface Warfare Center, Federal Aviation Administration and the House of Representatives.
This isn’t the first time Nissan has been caught up in a data breach incident. A ransomware attack in late 2023 led to the compromise of personal information impacting over 53,000 of its North America employees.
That same year, Nissan North America was forced to notify around 18,000 customers that their data may have been inadvertently exposed by a third-party supplier.
Image credit: Wongsakorn 2468 / Shutterstock.com