Nissan Confirms Data Breach After Everest Ransomware Group Claims 910GB of Stolen Data

Summary

Nissan has confirmed that its data was compromised in a cyberattack targeting a third-party vendor, after the Everest ransomware group claimed responsibility for exfiltrating 910GB of data. The stolen information reportedly includes customer personal information, dealership operational data, and loan records for car buyers from a file transfer system used by Nissan and Infiniti dealerships across North America.

The Everest group initially threatened to release the data by April 3 if a ransom was not paid. Nissan did not pay. While the company stated it found “no indication that Nissan systems were compromised or that any Nissan customer information was accessed or put at risk,” the Everest group has since posted new details — including a negotiation log — on its dark web site.

This marks yet another in a series of cyber incidents for Nissan, following breaches in 2022, 2023, and 2024 that exposed data belonging to customers and employees.

Source

SC World — Everest ransomware group claims Nissan breach | Cybernews — Everest Nissan data breach ultimatum

Commentary

Nissan’s statement that its own systems weren’t compromised is doing a lot of heavy lifting when 910GB of customer and dealership data walked out the door via a third-party vendor. This is the third-party risk problem in a nutshell: your security posture is only as strong as your weakest vendor, and file transfer systems remain a favorite target for ransomware groups.

The fact that Nissan has suffered breaches in four of the last five years should be raising serious questions about their vendor risk management program. At some point, “our systems weren’t the ones breached” stops being a defense and starts being an indictment of how much sensitive data they’re entrusting to insufficiently secured partners.