Cyber Incident Victim: Nissan

Nissan Oceania experienced a cyber incident on December 5, 2023, impacting its Australian and New Zealand operations, including Nissan Corporation and Financial Services systems. The company immediately engaged its global incident response team to investigate the breach’s scope and determine whether personal information was accessed. Nissan notified the Australian Cyber Security Centre and New Zealand National Cyber Security Centre while advising customers to monitor for unusual account activity or scams. Although dealership systems faced disruptions, local dealers remained operational for vehicle servicing and sales inquiries, with Nissan prioritizing system restoration and website updates for ongoing communication. The incident affected up to 100,000 customers, though the full extent of data exposure remained under investigation during the initial response phase.

In March 2024, OracleCMS—the third-party call center Nissan enlisted to manage customer inquiries following the December breach—suffered its own cyberattack, exposing Nissan-related data. Compromised information included names, contact details, dates of birth, and summaries of the original breach notification letters sent to affected individuals. Nissan confirmed no identity documents or ID numbers were accessed in the OracleCMS breach but noted that individuals impacted by both incidents had their personal information exposed twice: first from Nissan’s servers in December 2023, then via OracleCMS’s systems, with breach summaries published on the dark web. OracleCMS stated the attack was claimed by a ransomware group, involved data exfiltration, and had been contained, citing penetration tests that found no critical vulnerabilities in external-facing systems. Nissan criticized the supplier breach as “especially disappointing” given prior compromises and accelerated notifications for the original incident while working to support affected stakeholders.