Employees’ Personal Data Exposed in Automotive Ransomware Breach

Nissan North America issued a letter to its employees on May 15, providing an update on a data breach involving the personal identifiable information of approximately 53,000 employees. The letter addressed a cybersecurity incident that occurred on November 7, 2023, during which unauthorized cybercriminals gained access to Nissan’s systems.

Initially, an investigation conducted by external experts immediately after the incident suggested that no personal information had been compromised and employees were informed about the incident during a Nissan town hall meeting on December 5, 2023. However, on February 28, 2024, the company discovered that the names and social security numbers (SSN) of the 53,000 employees had indeed been compromised. While Nissan has assured its stakeholders that no financial information was accessed, the exposure of such sensitive personal data raises significant concerns.

Nissan became aware of the attack when a ransomware actor shut down some of its systems and demanded a ransom payment. While the ransomware actor’s attempt to gain control was evident from their demand, they failed to encrypt the data store, which is typically the ransomware’s objective to leverage for extortion.

Nissan North America stated that it was able to successfully remediate the attack with the assistance of external cybersecurity professionals, which may have prevented any attempted encryption by the attacker. The company also notified relevant state authorities about the breach and has involved law enforcement from the outset of the incident. To mitigate potential risks, Nissan is offering affected employees free 24-month credit monitoring and identity theft protection services. This proactive measure aims to safeguard employees in case the compromised personal information is exploited for malicious purposes, such as identity theft or financial fraud.

VPN systems are prime targets for external threat actors as they provide a gateway to connect to the target network. Like any public-facing system resource, extra security measures must be allocated to secure VPN systems. Some of the essential measures should include the following:

• Enable multi-factor authentication (MFA) for VPN access to prevent unauthorized access even if user credentials are compromised. MFA adds an extra layer of security beyond just passwords.
• Keep VPN software up to date by promptly installing security updates and patches released by the VPN vendor.
• Conduct regular audits and reviews of VPN configurations to ensure proper security settings, access controls, and compliance with security best practices.

VPN access should be restricted to only those users who absolutely require it for remote access purposes. Additionally, VPN users should be governed by security policies that restrict their movement to only the systems or network areas necessary for their job roles. Just because a VPN user is connected through the VPN does not give them access to the entire network. In addition, all data transmitted through the VPN should be encrypted, and access should be governed by the principle of least privilege (PoLP).

HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.