Nissan Took Six Months To Notify People Of A Data Breach

If you go to The Office Of The Maine Attorney General, and look at this data breach notification, you’ll quickly see the following:

Nissan North America has a data breach last June. Almost 18000 people were affected by this breach which was. caused by “Inadvertent disclosure, Insider wrongdoing” which means either someone on the inside screwed up or someone on the inside did something nefarious. The breach wasn’t discovered until the end of September, but Nissan North America didn’t let the public know until December.

That sounds pretty bad. But I will get back to that in a second.

Here’s what Nissan said:

The impacted third-party service provider provides software development services to Nissan. Nissan provided certain information to this service provider for processing during the testing of the software.

On June 21, 2022, Nissan received notice that certain data it provided for software testing had inadvertently been exposed by the third-party service provider. During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.

And here’s the information that is now out there:

The information that was potentially accessed or acquired during the time that it was temporarily available on a public repository included your name, date of birth, and NMAC account number. This information did not include your Social Security number or credit card information.

Again, that sounds pretty bad. And I have to admit that my initial reaction was to say “WTF? Six months to notify people?” But here’s an alternate view of this from Ani Chaudhuri, CEO, Dasera:

Though Nissan allegedly took six months to disclose the data breach to the affected parties, it is clear that they took the incident very seriously and moved quickly to contain the damage and protect the affected individuals. We should work to appreciate the transparency and honesty with which they communicated the incident to the public, as any form of a data breach is extremely hard on a company due to potential damage to reputation, revenue, culture, etc. 

One of the key takeaways from this incident is that data breaches can happen to any company, regardless of size or industry. It is important for companies not to be afraid to disclose data breaches publicly, as it raises awareness and helps other organizations learn from the incident. By being open and transparent, Nissan has set an example for other companies to follow.

Moving forward, companies like Nissan can prevent data breaches with a robust data governance and security strategy by providing a framework for managing and protecting sensitive information. Some ways data governance can help prevent data breaches include:

  • Establishing clear policies and procedures for data management: Data governance policies and procedures can set standards for how data is collected, stored, and shared within the organization. By having clear guidelines in place, the organization can reduce the risk of accidental data breaches caused by employees not following proper protocols.
  • Identifying sensitive data: Data governance can help identify sensitive data by classifying data based on its level of sensitivity, and then implementing appropriate controls to protect that data. By identifying sensitive data, Nissan can take the necessary steps to protect it from breaches.
  • Implementing access controls: Data governance can help implement access controls to ensure that only authorized personnel have access to sensitive data. By implementing access controls, Nissan can ensure that vendor employees only have access to the data they need to perform their duties, reducing the risk of breaches caused by unauthorized access.
  • Regularly monitoring and auditing data: Data governance can help implement regular monitoring and auditing of data to detect any anomalies or suspicious activities that could indicate a data breach. By regularly monitoring and auditing data, Nissan can detect a data breach early on and take action to contain the damage and protect the affected individuals.
  • Conducting vendor risk assessment: Data governance can help implement a vendor risk assessment program that allows the organization to assess the security risk of their vendors and make sure that their vendors are meeting the company’s security standards. This can help Nissan to identify potential vulnerabilities and take steps to mitigate them before a data breach occurs.

Overall, a mature data governance and security strategy can help companies like Nissan prevent data breaches by providing a framework for managing and protecting sensitive information, and by identifying and mitigating risk.

While all of that is true, I do wish that the public knew of this sooner. Because the faster the public knows that something like this happens, the more able the public are able to take precautions from threat actors who would use this information for nefarious reasons.

Leave a Reply

%d bloggers like this: