Over the next few weeks, Nissan Oceania will make contact with around 100,000 people in Australia and New Zealand whose data was pilfered in a December 2023 attack on its systems – perhaps by the Akira ransomware gang.
The cyberbaddies stole some form of government identification from up to ten percent of victims. Among the data stolen from the automotive manufacturer was info on 4,000 Medicare cards – Australia’s national health insurance scheme – plus 7,500 driving licenses, 220 passports, and 1,300 tax file numbers.
The remaining 90 percent of folks had other info stolen – perhaps copies of loan-related transaction statements, employment details, or salary information. The heist may also include personally identifiable information (PII) such as dates of birth.
Some of those affected by the breach were customers of finance services that Nissan operated and branded for rival automakers Mitsubishi, Renault, Infiniti, LDV, and RAM.
“We know this will be difficult news for people to receive, and we sincerely apologize to our community for any concerns or distress it may cause,” Nissan said in a statement posted to its website.
“We are committed to contacting affected individuals as soon as possible to tell them what information was involved, how we are supporting them, and the steps they can take to protect themselves against the risk of harm, identity theft, scams, or fraud.”
In Australia, affected individuals are being offered 12 months of free credit monitoring from Equifax, and in New Zealand, a similar service is being made available through Centrix.
Individuals in both territories will also have access to IDCARE’s services for protecting against the misuse of stolen data, and those who need ID documents replaced can claim the cost back with Nissan Oceania.
Ransomware at play?
The company didn’t say at the time whether ransomware was involved, and still hasn’t mentioned it today, but the original intrusion was claimed by the Akira group.
Data supposedly belonging to Nissan Oceania is available to download via Akira’s website, suggesting that if ransomware was involved the automaker refused to pay.
Akira claims to have stolen 100 GB worth of data, including personal data. “They seem to not be very interested in the data, so you can find their stuff here,” Akira’s website reads.
“You will find docs with personal information of their employees in the archives and much other interested stuff like NDAs, projects, information about clients and partners etc.”
Akira has been responsible for attacks on many other major organizations since spinning up in March 2023, including cosmetics giant Lush and Stanford University, which just this week admitted to a data leak of 27,000 people’s information.
El Reg sent a request for comment to Nissan Oceania to seek comment on the possibility ransomware caused this incident, but it did not immediately respond. ®