Lessons Learned from the Nissan North America Data Breach
February 21, 2023

Hananel Livneh
Adaptive Shield

Recently, Nissan North America confirmed a data breach at a third-party service provider. Details of the breach were highlighted in a notification that was filed with the Office of the Maine Attorney General on January 16, 2023. Here's what was learned from the report:

■ A software development vendor alerted Nissan of the breach in June 2022.

■ Nissan provided the vendor with customer data, which it used to develop and test software solutions.

■ The data was inadvertently exposed due to a poorly configured cloud-based public repository.

■ The breach impacted close to 18,000 customers.  

As for the automobile giant's response, Nissan acted quickly, securing the exposed repository and launching an internal investigation. Through this review, Nissan determined the incident was most likely the result of an unauthorized person accessing the data, which includes full names, dates of birth, and Nissan account numbers. The company's investigation also found no evidence that credit card information or Social Security numbers were exposed, or that this information had been misused.

While the latter point is good news, there are still lessons to be learned from this incident. The first, is the importance of securing repository access such as GitHub, GitLab, Bitbucket, and more. Nissan is not alone. There are many other repository-related incidents like this. One example is the breach of Slack's GitHub repositories. After conducting its investigation, Slack tied the breach to stolen Slack employee tokens, which were then used to download private Slack code repositories.

In most cases, the issue comes down to a simple directive — businesses must take all the necessary actions to ensure that private repositories used for developing and testing remain private. I'm not saying they cannot utilize open repositories. Those are great for things such as sharing back to the community. For businesses with both, the onus is on security teams to regularly monitor and evaluate these repositories and identify those that are open and who should have access. When changes in the visibility of a repository occur, they must be alerted, logged, and evaluated by the security team.

A second lesson learned involves the use of real customer data for development and testing purposes. There is always a risk when introducing customer data into a sandbox, especially where the focus is building and testing, that security takes a backseat. This is precisely why introducing customer data is extremely dangerous.

From my experience, the main reason that businesses don't prioritize security in these environments is simple — they don't believe it's as important to secure and maintain the same levels of good configuration hygiene in test environments as in a production environment. Instead, they apply minimum security and safeguards, a practice that prevails despite the growing number of incidents where real data is leaked.

To stop the bleeding, remove real data from the sandbox and use synthetic data. Since sandboxes are typically used to test changes in configurations, processes, flows and more, they do not require real data. Any data that uses the same format is sufficient.

A failure to take these steps into account open businesses to a breach, the impact of which can be significant. In the case of Nissan, consumer confidence can soften after sensitive customer data is stolen. For affected customers, Nissan is providing free one-year identity protection services from Experian. But breaches like this can have long-term impacts on the brand. Nissan had to go public by sending out notifications and reporting them to the Office of the Maine Attorney General.

While awareness of these attacks continues to grow, there is little chance that incidents will abate unless organizations take action. Start by securing repositories and making sure that those which need to remain private stay that way. Next, ensure that your teams treat test environments the same as they do production environments when it comes to security. When done correctly, and with the aid of automatic tools, these steps can keep your organization and its customer data secure, while allowing teams to continue playing safely in the sandbox.

Hananel Livneh is Head of Product Marketing at Adaptive Shield
Share this

Industry News

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.

February 21, 2024

Pulumi now offers native ways to manage Pinecone indexes, including its latest serverless indexes.

February 21, 2024

Orkes, whose platform offers the fastest way to scale distributed systems, has raised $20 million in new funding.

February 20, 2024

JFrog and Carahsoft Technology announced a partnership that empowers U.S. Government organizations to safeguard their software supply chains with automated DevSecOps workflows to secure software services consumed by citizens.

February 20, 2024

Multiplayer, a collaborative tool for teams that work on system design and distributed software, announced its public beta.

February 20, 2024

DataStax announced its out-of-the-box retrieval augmented generation (RAG) solution, RAGStack, is now generally available powered by LlamaIndex as an open source framework, in addition to LangChain.

February 20, 2024

UiPath announced new features in its platform designed to enable developers to build, test, and accelerate implementation of automations.

February 15, 2024

Kong announced a suite of open-source AI plugins for Kong Gateway 3.6 that can turn any Kong Gateway deployment into an AI Gateway, offering unprecedented support for multi-Language Learning Models (LLMs) integration.

February 15, 2024

ngrok unveiled early access to its API gateway-as-a-service.

February 15, 2024

Tabnine announced a strategic partnership with DigitalOcean.

February 15, 2024

Salt Security announced that the Salt Security API Protection Platform is now available for purchase in the CrowdStrike Marketplace, a one-stop destination for the world-class ecosystem of CrowdStrike compatible security products.

February 14, 2024

Perforce Software signed a definitive agreement to acquire Delphix.