Ransomware, Identity, Privacy

Ransomware attack on Nissan North America results in employee data loss

Share
Nissan logo brand and text sign for dealership store of Japanese car shop

Nissan North America (NNA) notified consumers on May 15 that a ransomware attack included the loss of certain personal information relating to current and former NNA employees, including Social Security numbers.

Click for more special coverage

In a filing to the Maine Attorney General’s Office, NNA said the cybersecurity incident affected 53,038 individuals, including the NNA employees, as well as consumers.

The date of the breach was Nov. 7, 2023. NNA notified all current employees of the incident in a Dec. 5 Town Hall meeting that there was a possibility that certain employee personal information could have been accessed and that NNA would notify impacted individuals pending investigation.

NNA reported in the filing that the actual breach was discovered on Feb. 28 of this year. Through its investigation, NNA said it learned the criminal threat actor accessed data from a number of NNA’s local and network shares, but did not encrypt any data or render any of NNA’s systems inoperable.

A Nissan spokesperson said the automaker became aware of the attack when the threat actor deliberately accessed and caused some non-production systems to be shut down for a short time. Nissan immediately engaged with law enforcement, forensics professionals and outside counsel in order to investigate, contain, and successfully terminate the threat, which included proactively taking other systems offline, the spokesperson said, adding that there was no indication that any personal information has been misused.

Since the attack, NNA said it took several steps to strengthen its security environment, including an enterprisewide password reset, implementation of Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access.

“There’s a growing trend of ‘smash and grab’ attacks where hackers are getting in, grabbing whatever they can find, and getting out,” said Venky Raju, Field CTO at ColorTokens. “The data is sifted and then sold on the dark web or it is being used by the same actors as part of their reconnaissance.”

Raju added that these “smash and grab” attacks rely on speed and ease of lateral movement within the network, as the adversary wants to find useful data quickly to avoid detection. Raju said implementing microsegmentation prevents, or will significantly slow down, the ability of the adversary to achieve their objectives, providing the security team with valuable time to detect and respond.

Narayana Pappu, chief executive officer at Zendata, added that this attacker most likely used this tactic to potentially avoid detection. Pappu said it’s a fairly common tactic that we have seen used in Maze, NetWalker, and Clop ransomwares.

“The main leverage the attacker has on the company in this incident is the threat to release the data to public forums,” said Pappu. “Organizations and security teams should implement access control lists, have an endpoint detection and response solution in place, and maintain backups. I recommend following the 3-2-1 backup rule, a data protection strategy that recommends having three copies of your data, stored on two different types of media, with one copy being kept off-site.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.