Thousands of Nissan customers affected by data breach through third-party vendor

Nissan has sent out breach notification letters to thousands of people to inform them of a leak of personal information through a third-party vendor.  

The car company said it was notified on June 21 that names, dates of birth, and account numbers for Nissan Motor Acceptance Corporation – an indirect lender that helps people finance or lease Nissan vehicles – were exposed after it provided the customer information to an unnamed third party “for software testing.” 

Nissan’s breach notification letter, which was sent to 17,998 people, does not say when the data was exposed nor for how long.

“During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository,” the company said. 

Nissan said it was providing victims with a one-year membership for Experian IdentityWorksSM Credit 3B – a service that helps detect possible misuse of personal information.

A spokesperson for Nissan explained to The Record that the third-party vendor “inadvertently placed some customer data in an unsecured, cloud-based storage location.”

“At this time, we believe the risk is low, but, out of an abundance of caution, we are offering these consumers one year of credit monitoring services at no cost,” the spokesperson said.

The company did not answer questions about whether the information leaked was enough for cybercriminals to impersonate someone within Nissan’s customer finance portal.

KnowBe4’s Erich Kron said the incident was a prime example of why companies need to outline cybersecurity standards in contractual agreements signed with third parties tasked with handling sensitive customer data. 

“Nissan provided the information in good faith to an organization contracted to do testing, however that organization failed to properly secure the data. While it's often not an easy sell to get a contractor to allow you to audit their systems, the history of data breaches caused by this type of mishandling is a strong argument toward being able to do that,” he said. 

“Any organization that handles your data needs to be held to a standard of protection at or above your own. An unfortunate part of these types of issues is that Nissan will be associated with the breach, however the third party will likely go unremembered.”

Data from car companies and car insurance providers has been in high demand among cybercriminals, with multiple threat actors and groups leaking stolen data on the dark web in recent weeks. 

Car insurance data stolen from nearly 800,000 Japanese customers of Zurich Insurance showed up on a cybercriminal forum last week among several other posts containing vehicle related information.