Cyber Incident Victim: Mazda Motor Corporation

Mazda Motor Corporation disclosed a data breach that was discovered in mid‑December 2025, involving unauthorized access to the management system used for warehouse operations related to parts procured from Thailand. The breach affected the personal information of employees of Mazda and its group companies as well as business partners, with a total of 692 records compromised. The exposed data included company‑issued user IDs, names, email addresses, company names, and business partner IDs. Mazda confirmed that no customer information was stored in the compromised system, so no customer data was affected.

The company determined that the cause of the incident was unauthorized access by a third party exploiting security vulnerabilities in the application, although it did not name the specific software or detail the bugs that were leveraged. Mazda had previously acknowledged in November 2025 that it was targeted in the Oracle E‑Business Suite hacking campaign but stated at that time that no evidence of data leakage had been found. A Mazda spokesperson told SecurityWeek that the newly disclosed incident is not related to the Oracle EBS attack and declined to attribute the breach to any particular threat actor, citing the ongoing investigation and the absence of confirmed contact from the attackers.

In response, Mazda reported the breach to the relevant authorities, promptly applied security patches, revised access policies and access monitoring, and restricted internet access to the affected system. The company stated that, as of the disclosure, no secondary harm had been confirmed, but noted that there is a possibility the exposed personal information could be misused in the future for phishing scams or spam emails. Mazda advised recipients of any suspicious communications to exercise caution. The notification concluded with the company’s commitment to continue monitoring the situation and cooperating with investigators.