Nissan Informing 1.3 Million Canadians of Potential Breach
Nissan said Thursday that information belonging to Canadian customers, like their names, addresses, and vehicle identification number, may have been breached.
Carmaker Nissan said this week the company is in the middle of notifying over one million customers in Canada that their data may have been accessed without their consent.
The arm of the company that allows Nissan Canadian Finance (NCF) said Thursday it wasn’t certain exactly how many customers are affected but that it was contacting current and former customers, roughly 1.13 million Canadians, who financed their cars through NCF and INFINITI Financial Services Canada. Infiniti is division of Nissan Canada Inc.
The company didn't specify how customers' information may have been breached, only that it was working with Canadian privacy regulators, law enforcement, and data security experts to review the incident.
Information impacted may have included customer names, addresses, vehicle make and model, vehicle identification number (VIN), credit score, loan amount and customers’ monthly payment information.
Like many companies do after they've been breached Nissan said planned to provide victims 12 months of credit monitoring services through a credit reporting agency, TransUnion.
For the most part auto manufacturers have managed to evade data breaches over the last several years. Perhaps not so surprisingly, it's the Internet of Things (IoT) angle that carmakers have been struggling with. In April Hyundai was forced to patch a vulnerability in Blue Link, technology that brings remote start and climate control functionality to iOS users via the company’s MyHyundai with Blue Link app. Researchers with Rapid7 identified a bug in the software that could have allowed an attacker to glean usernames, passwords, and PINs, information that could be used to locate cars, unlock cars, and start their engine.
A similar issue, an API vulnerability, affected Nissan cars in 2016. The vulnerability, discovered by Have I Been Pwned (HIBP) creator Troy Hunt, allowed remote access to the onboard computers in roughly 200,000 Nissan Leaf and eNV200 electric vehicles. If an attacker had access to a driver's VIN number they could remotely access the car's climate controls, battery status, and GPS logs.