Here is your most current reminder that every third party with access to a manufacturer's data represents a potential avenue for cyberattack.
Nissan North America on January 16 reported to the Office of the Maine Attorney General a data breach that affected 17,998 people (785 of which live in Maine). According to the report, the breach originally occurred on June 21, 2022, and was discovered on September 26, 2022. Customer notifications began going out December 19, 2022.
According to BleepingComputer and as reported by Nissan in said customer notifications, the breach originated with a third-party software development vendor that had used Nissan's customer data for development and testing purposes.
The data had been "unintentionally and temporarily storied in a cloud-based public repository," according to Nissan's customer notification and included names, dates of birth, and NMAC account numbers. The data did not include Social Security numbers or credit card information.
“This is yet another example of where supply chain issues can impact organizations. Nissan provided the information in good faith to an organization contracted to do testing, however that organization failed to properly secure the data. This serves to outline the contractual requirements when providing information to third parties, even when they have a legitimate need," Erich Kron, security awareness advocate at KnowBe4, tells IndustryWeek.
"The issue also helps towline the importance of having processes in place to validate or test potential contractor's systems that will be handling your information. While it's often not an easy sell to get a contractor to allow you to audit their systems, the history of data breaches caused by this type of mishandling is a strong argument toward being able to do that," Kron adds.
"The increasing adoption of cloud data storage technologies, the proliferation of unknown or 'shadow' data that is not kept up to date by IT and security teams, the death of the traditional security perimeter and a faster rate of change for developers have all created a perfect storm known as the 'innovation attack surface.' It refers to the continuous unintentional risk cloud data users, such as Nissan and most other modern businesses today, take when using data to drive innovation." says Amit Shaed, CEO and co-founder at Laminar.
"The use of real customer data for development and testing purposes should be discouraged. Instead, organizations should strive to use synthetic data that mimics real data. We see problems arise because often, test environments are not prioritized for security and maintenance of good configuration hygiene compared with production environments," says Maor Bin, CEO at Adaptive Shield.
"This is an Achilles' heel for security teams. Using real data in testing environments, combined with low security and minimum safeguards, leads to data leakage," Bin adds.
"Manufacturers must vet their employees and their third party/supply chain partners. This means doing risk assessments of them to uncover vulnerabilities so they can be corrected and putting vulnerability scans in place to ensure new risks don’t crop up," says Ryan Cloutier, president at SecurityStudio.
"Manufacturers have to embrace the idea of continuous risk management. This isn’t a 'set it and forget it' kind of thing – we have to continually manage risk by assessing risk," Cloutier adds.
In January 2021, Nissan North America suffered a data leak of source code for its mobile apps and internal tools due to a misconfigured Git server.
As a consolation for the June 2022 hack, Nissan is offering affected customers a free one-year membership of Experian IdentityWorksSM for identity protection services.