Nissan North America began sending out data breach notifications notifying customers of a breach at a third-party service provider that exposed customer information.
The security incident was reported to the Maine Attorney General’s office on Monday, January 16, 2023, where Nissan unveiled that 17,998 customers were affected by the breach.
In the sample notification, Nissan claims to have received a data breach notice from one of its software development vendors on June 21, 2022.
The third party had received customer data from Nissan to use to develop and test software solutions for the automaker, which was inadvertently exposed due to a misconfigured database.
After learning of the security incident, Nissan ensured that the exposed database had been secured and launched an internal investigation. On September 26, 2022, he verified that an unauthorized person had probably accessed the data.
“During our investigation on September 26, 2022, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including certain personal information belonging to Nissan customers,” read the note.
“Specifically, data embedded in code during software testing was unintentionally and temporarily stored in a cloud-based public repository.”
Exposed data includes full names, dates of birth, and NMAC (Nissan Financial Account) account numbers. Additionally, the notice clarifies that the information exposed did not include credit card details or social security numbers.
Nissan says to date it has seen no evidence that any of this information has been misused and is sending the notices out of caution.
Additionally, all recipients of infringement notices will be offered a one-year subscription to identity protection services through Experian.
In January 2021, Nissan North America experienced a similar incident, leaving a Git server exposed online with default access credentials, which made several company repositories public.
This incident led to the 20 GB data leakincluding source code for mobile apps and internal tools, market research and customer acquisition data, diagnostics and NissanConnect services details.
More recently, in October 2022, Toyota experienced a similar data security incident in which the personal information of 296,019 customers was exposed.
The incident happened because a GitHub repository containing access keys to the company’s databases was left open to the public for five years.
Additionally, Nissan and other automakers have been shown to follow poor API security practices on their mobile apps and online portals, which can lead to account takeovers and the exposure of sensitive information.