Nissan North America data breach caused by third-party provider

SECURITY

Nissan North America Inc. has disclosed a data breach caused by an outside provider that affected nearly 18,000 customers.

The breach was disclosed via a notification to the Office of the Maine Attorney General in mid-December. The notice states that the breach occurred June 21 last year and was discovered June 26. The breach is described as involving a third-party service provider that does software development services for Nissan.

Nissan subsequently ensured that the third-party provider contained the threat and launched an investigation. Nissan said it also worked with the provider to ensure that events like this don’t happen in the future.

The breach investigation was finalized in September and found that the incident likely resulted in unauthorized access or acquisition of data, including some personal information belonging to Nissan customers. The cause of the breach is described as the result of data embedded within the code during software testing unintentionally and temporarily stored in a cloud-based public repository — in other words, another case of data exposure on an unsecured cloud instance.

Data exposed in the breach may have included names, dates of birth and account numbers. Credit card information and Social Security numbers were not exposed. While noting that it has no evidence that the data has been misused, Nissan is offering credit monitoring through Experian plc, a company that has its own problems with data breaches.

“This is a common pattern of breaches that happen against organizations with large datasets,” Abhay Bhargav, chief executive officer at application security training platform provider AppSec Engineer Pte. Ltd., told SiliconANGLE. “Third parties are often given this data for processing purposes like analytics or for running their own applications. Misconfigured access control is the leading cause of these breaches and organizations must take serious precautions and conduct due diligence of the vendors they share sensitive customer data with.”

Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., said Nissan provided the information in good faith to an organization contracted to do testing, but it failed to secure the data properly.

“Any organization that handles your data needs to be held to a standard of protection at or above your own,” Kron said. “An unfortunate part of these types of issues is that Nissan will be associated with the breach, but the third party will likely go unremembered.”

Photo: Nissan