Nissan North America has started delivering data breach notifications that there has been a disclosure of client data due to a breach at a third-party service provider. On Monday, January 16, 2023, Nissan notified the security breach to the Office of the Maine Attorney General, at which point it revealed that 17,998 customers were impacted.
Nissan states in the notification sample that one of its software development vendors notified it of a data breach on June 21, 2022. The third party had unintentionally exposed customer information because of a poorly designed database. Nissan had given the third-party customer data to use in creating and testing software solutions for the manufacturer.
Nissan made sure the vulnerable database had been secured after learning about the security problem and started an internal inquiry. It confirmed on September 26, 2022, that there had most certainly been unauthorized access to the data. The letter states, “Throughout the course of our investigation, on September 26, 2022, we concluded that this incident likely resulted in the unlawful access or acquisition of our data, including some personal information belonging to Nissan customers.”
Full names, birthdates, and NMAC account numbers are among the information that was disclosed (Nissan finance account). The warning also makes it clear that Social Security numbers and credit card information were not among the compromised data.
Even though Nissan claims to have seen no evidence of this information being exploited yet, it is nonetheless sending out the letters out of an abundance of caution. All recipients of the breach alerts will also be given the option to sign up for Experian’s identity protection services for an entire year.
Nissan Has Experienced A Similar Issue Before.
Similar circumstances occurred in January 2021 at Nissan North America, where a Git server was left online with default access credentials, exposing numerous of the company’s repositories to the public.
20 GB of data, including the source code for internal tools, mobile apps, market research, diagnostics, and information about NissanConnect services, were exposed as a result of this incident.
The personal data of 296,019 consumers was compromised in a more recent data security breach that Toyota underwent in October 2022. The problem happened due to a five-year public access period that allowed for a GitHub repository containing access credentials to the company’s databases.
Additionally, it has been discovered that Nissan and other automakers use subpar API security procedures on their mobile apps and online portals, which could result in account takeovers and critical information revealing.
Best Practices With Third-Party Data Breach
- Ascertain the extent of the breach:
It would help if you first ascertain the breach’s extent and impact to plan your subsequent actions. The actions you should take if a significant amount of sensitive data has been exposed are listed below.
- Get your breach response team ready:
You must move quickly to activate your breach response team to stop further data loss. They will need to encrypt or lock down the impacted systems, change passwords, patch any vulnerabilities, and so forth. For more details on how and when to get your systems back up, you should also get in touch with the necessary authorities and forensics experts.
- Find and delete any stolen or leaked information:
If any private information is made available to the public, it must be deleted immediately. Your security team members should spend time using Google to look for copies of private information on other websites. You might need to contact search engines and ask them to erase their “cached” copies of your website. In order to identify the cause, you should also speak with everyone who witnessed or participated in the breach.
- Implement your incident response strategy:
A third-party data breach should be handled according to the incident response plan (IRP) that any company with a lot of sensitive data should have in place. The plan should detail the roles, duties, and actions that must be taken in the case of a security incident. All personnel must be aware of the plan and know who to contact to report suspicious behaviors.
- Notify the appropriate parties:
You must review the rules and regulations at the state and federal levels for any obligations that pertain to your business. For instance, rules like the GDPR contain breach reporting requirements that must be followed in order to avoid excessive fines and legal action. The process for notifying the appropriate authorities, organizations, and impacted people about the breach should be outlined in the IRP.
Nissan North America had begun informing customers of data breaches when customer information was compromised at outside service providers. Nissan informed the Office of the Maine Attorney General about the security breach on January 16, and it later disclosed that 17,998 customers had been affected. Nissan claims in the example notification that one of its software development vendors notified it of a data breach on June 21 of last year. Due to a poorly built database, the third-party mistakenly disclosed customer information. Customer information from the automaker was provided to the third party for use in developing and testing software solutions for the manufacturer.
“Nissan customers should be on the lookout for targeted phishing messages from scammers posing as Nissan or a related company. Given that NMAC account numbers were disclosed in the breach, those phishing emails could relate to vehicle financing. Never click on links or attachments in unsolicited emails and messages.”
Though Nissan allegedly took six months to disclose the data breach to the affected parties, it is clear that they took the incident very seriously and moved quickly to contain the damage and protect the affected individuals. We should work to appreciate the transparency and honesty with which they communicated the incident to the public, as any form of a data breach is extremely hard on a company due to potential damage to reputation, revenue, culture, etc.
One of the key takeaways from this incident is that data breaches can happen to any company, regardless of size or industry. It is important for companies not to be afraid to disclose data breaches publicly, as it raises awareness and helps other organizations learn from the incident. By being open and transparent, Nissan has set an example for other companies to follow.
Moving forward, companies like Nissan can prevent data breaches with a robust data governance and security strategy by providing a framework for managing and protecting sensitive information. Some ways data governance can help prevent data breaches include:
Overall, a mature data governance and security strategy can help companies like Nissan prevent data breaches by providing a framework for managing and protecting sensitive information, and by identifying and mitigating risk.
“I want to give a witty comment about parties and data. I can’t because these breeches are pushing to become a new normal and I can’t accept that. I have more than 20 years in this industry, and we are still seeing the same shoddy development practices from the 90s. Agile, waterfall, scrum, we missed the goal and as an industry we are getting Rick Rolled.”