Nissan confirms customer details published to dark web after cyberattack

Personal details of Nissan customers published on the dark web

Nissan Australia has confirmed the personal details of its customers obtained during December’s cyberattack have now been published to the dark web.

The Akira ransomware gang has claimed ownership of the attack and says it took over 100GB of sensitive information that included “stuff like NDAs, projects, information about clients and partners etc”.

3

In a statement made to its public website, Nissan said it was aware information taken in the data breach has now been published online.

“We are now aware that some data was accessed in the incident and posted on the dark web,” said the statement. “We are working urgently with our global incident response team and cyber forensic experts to understand what information was accessed and the types of information that was posted on the dark web.

“We are deeply sorry for any concerns this has caused for those who have been impacted.”

The cyberattack occurred on December 5 when hackers hit Nissan’s businesses in Australia and New Zealand.

As well as stealing sensitive information, the attack heavily impacted Nissan’s dealer network for a period of time by locking employees out of their email and other internal servers.

Nissan has urged customers to be extra vigilant online and to update their existing passwords and enable multi-factor authentication to minimise the risk of further breaches.

“Where we identify customer data has been accessed in a manner which gives rise to a risk of serious harm, we will contact you in accordance with our legal obligations, including to let you know what information was involved and what support is available to you,” added Nissan’s statement.

“We have already notified the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre, and the relevant privacy regulators and law enforcement bodies, and we are keeping them updated on our investigation.”

Our original story continues below.

3

December 7, 2023: Nissan Oceania is currently investigating a cyber incident. The full extent of the event is unknown, but the company has warned customers to be vigilant of scams over the coming days.

It is not yet clear what kind of data may have been obtained during the cyber attack or how many customers are affected. A statement issued to Nissan's Australian and New Zealand websites promises its global incident response team is on the case.

Nissan has notified both the Australian and New Zealand Cyber Security Centres of the incident for potential assistance from those bodies.

The situation is developing, but as Nissan's vehicles cannot be taken control of by third parties, the cyber incident is likely targeting personal information.

This year, Nissan has sold 36,718 vehicles in Australia and around 3000 in New Zealand. This cyber attack has not affected dealer contactibility, so those who need service or assistance can still call or email their local Nissan dealer.

Large-scale cyber crime has been on the rise, with three large breaches in 18 months including Latitude Financial Services with 14 million customers affected in April 2023, Medibank with 9.7 million in December 2022, and 9.8 million Optus customers in September 2022.

Updates will be added as more information comes to light.