Nissan Oceania has disclosed late last month, a security incident involving a third-party call center provider, OracleCMS, that was contracted for a previous cybersecurity incident, but got breached themselves.
This double breach has compromised the personal information of Nissan customers, employees, and stakeholders, and although their data was already in the hands of cybercriminals, this exposure has just been expanded.
Background
Nissan first identified unauthorized access to its IT servers on December 5, 2023. Immediate containment measures were taken, and authorities, including the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre, were notified. Despite these efforts, sensitive data was stolen and posted on the dark web. The compromised information includes government identification, loan-related documents, and personal details of around 100,000 individuals.
The second breach came to light on April 18, 2024, when OracleCMS, contracted to manage Nissan’s dedicated cyber incident call center, reported its own data breach. The compromised data at OracleCMS includes names, contact details, and descriptions from Nissan’s incident notification letters. Although no identity documents or ID numbers were affected, this breach has further escalated the concerns surrounding Nissan’s cyber security.
“Regrettably, we became aware on April 18 that the external supplier we contracted to manage our dedicated cyber incident call centre, OracleCMS, was impacted by its own data breach that affected several of its clients, including Nissan,” reads Nissan’s statement.
“Unfortunately, some Nissan customer, staff, and other stakeholder information, which OracleCMS held on its systems to be able to answer incoming queries, was compromised during the incident.”
Investigation and response
Nissan has been working closely with external cyber forensic experts and government authorities to assess the impact. The initial breach affected Nissan’s local IT servers, compromising data from various customer segments, including those associated with Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM finance businesses. Approximately 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers were among the data compromised.
In response to the OracleCMS breach, Nissan is offering support measures such as free credit monitoring via Equifax in Australia and Centrix in New Zealand, access to IDCARE’s services, and reimbursement for the replacement of compromised identity documents. A dedicated call center remains available for queries and support.
OracleCMS’ forensic investigation confirmed no ongoing malicious activity and found no vulnerabilities in their external-facing systems. The firm has assured clients and affected individuals of their efforts to contain the breach and support measures in place. They advise vigilance against potential scams and stress the importance of multi-factor authentication and robust password practices.
Nissan customers in Australia and New Zealand are advised to follow these practices:
- Be vigilant for suspicious online activity.
- Avoid clicking on unknown links or attachments.
- Verify the legitimacy of communication sources.
- Regularly update and strengthen passwords.
- Enable multi-factor authentication where possible.
- Report scams via Scamwatch in Australia or contact relevant authorities in New Zealand.
FCC Proposes Stricter Reporting Requirements to Bolster Internet Routing
Leave a Reply