Toni Dimaano Auto 01.18.2023 01:Jan AM EST

Nissan North America Reveals Customer Data Breach Caused By Third-Party Provider

Nissan North America has started notifying clients of data breaches that exposed client information at third-party service providers.

On January 16, Nissan notified the security compromise to the Office of the Maine Attorney General, at which point it revealed that 17,998 customers were impacted.

Nissan North America Says The Exposed Database Is Now Secure

Nissan alleges in the sample notification that on June 21 of last year, one of its software development vendors informed it of a data breach.

According to Bleeping Computer, the third party had unintentionally exposed customer information because of a poorly designed database.

The automaker had given the third party customer data to use in creating and testing software solutions for the manufacturer.

Nissan also ensured the exposed database had been secured and started an internal investigation as soon as it was made aware of the security breach.

After the investigation into the breach was completed in September, it was determined that some customer personal data belonging to Nissan was probably acquired without authorization.

The cause of the breach is characterized as the result of data encoded within the code during software testing accidentally and temporarily put in a cloud-based public repository.

In other words, this is another incident of data exposure on an unprotected cloud instance, according to Silicon Angle.

"During our investigation, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers," the notice states.

Reports say that names, dates of birth, and account numbers may have been among the data exposed in the incident, but credit card numbers and Social Security numbers were not.

Nissan is providing credit monitoring through Experian plc, a business that has its own issues with data breaches, even though it states that it has no proof that the data has been exploited.

Following this, all recipients of the breach alerts will also be given the option to sign up for Experian's identity protection services for a full year.

Nissan Has Already Encountered A Similar Problem Before

Similar circumstances occurred in January 2021 at Nissan North America, where a Git server was left online with default access credentials, exposing numerous of the company's repositories to the public.

About 20 GB of data, including the source code for internal tools, mobile apps, and market research, as well as diagnostics and information about NissanConnect services, were exposed as a result of this incident.

Bleeping Computer reports that a similar data security breach involving Toyota occurred more recently, in October 2022, exposing the personal data of 296,019 customers.

The problem happened as a result of a five-year public access period that was allowed for a GitHub repository containing access credentials to the company's databases.

Additionally, it has been discovered that Nissan and other automakers use subpar API security procedures on their mobile apps and online portals, which could result in account takeovers and the revealing of critical information.