Nissan data breach exposed Social Security numbers of thousands of employees

May 15, 2024
1 min read
Nissan data breach exposed Social Security numbers of thousands of employees


Examining the risk of cyber-physical threats


What happens when cyberattacks cause physical damage?

04:53

Nissan suffered a data breach last November in a ransomware attack that exposed the Social Security numbers of thousands of current and former employees, the Japanese automaker said Wednesday.

Nissan’s US-based subsidiary, Nissan North America, detailed the cyberattack on May 15. Letter to affected individuals. In the letter, Nissan North America said a bad actor attacked a company’s virtual private network and demanded payment. Nissan did not indicate whether it paid the ransom.

“[U]Upon learning of the attack, Nissan promptly notified authorities and began taking immediate steps to investigate, contain and successfully terminate the threat,” the automaker said in the letter, adding that “Nissan has worked closely with external security professionals cyber with experience in handling these types of complex security incidents.”

Nissan North America too notified state officials across the U.S. about the attack, noting that data belonging to more than 53,000 current and former workers was compromised. But the company said its investigation found that the affected individuals did not have their financial information exposed.

Nissan North America has “no indication that any information was misused or was the intended target of the attack,” the automaker said in its letter.


Infiltrating ransomware gangs on the dark web

twenty past six

Ransomware attacks, in which cybercriminals disable a target’s computer systems or stealing data and then demanding payment to restore service have become increasingly common. A cybersecurity expert said someone likely obtained a password or multi-factor authentication code from an existing Nissan employee, allowing the hacker to log in through the company’s VPN.

“It is unfortunate that the breach involved personal information, however, Nissan did the right thing by continuing to investigate the incident and report the update,” Erich Kron, cybersecurity awareness advocate at KnowBe4, told CBS MoneyWatch in a statement by email. “In this case, targeting the VPN will often help bad actors avoid detection and bypass many of the existing organizational security controls.”



Source link