Representatives of the world renowned car manufacturer Nissan Motor Co., Ltd. issued a statement admitting that the company's systems were penetrated by a hacker who apparently managed to steal user IDs and password hashes.
The incident took place on April 13, 2012, when the organization’s IT security team noticed the presence of a piece of malware within the network. Immediate action was taken to protect sensitive data.
“This included actions to protect information related to customers, employees and other partners worldwide. This incident initially involved the malicious placement of malware within our IS network, which then allowed transfer from a data store, housing employee user account credentials,” said Andy Palmer, the firm’s executive vice president.
“As a result of our swift and deliberate actions we believe that our systems are secure and that no customer, employee or program data has been compromised. However, we believe that user IDs and hashed passwords were transmitted. We have no indication that any personal information and emails have been compromised,” he added.
This is not the first time when Nissan suffers a data breach. Back in February, the hacker known as Sepo demonstrated that he was able to easily gain access to the official website of Nissan Motors in Columbia.
At the time, the hacker leaked usernames and password hashes that belonged to the site’s administrators.
Hopefully, this incident will act as a wake-up call for the company. It’s clear that they have some security holes that need to be addressed and they’d better do something fast before their customers’ credentials end up online, or in the hands of cybercriminals with a malicious agenda.
Here is the complete statement from Andy Palmer, executive vice president, Nissan Motor Co., Ltd.:
Update. We've asked a couple of security professionals to comment on this incident and this is what they had to say.
Jeff Hudson, CEO of Venafi, an encryption management provider, said:
Another day, another breach. It’s getting to the point where we can display the logos of the world’s leading enterprises on a dart board and be all but certain they're under attack as great targets.
The Under Armour and Nissan breaches, where unencrypted employee personal information is missing and account credentials were stolen, demonstrate that data encryption is more than just a best practice─it’s become an indispensable information security defense.
By adding layers of well-managed encryption around data, organizations can reduce the risk of breaches that cause embarrassment, expenses and fines, and loss of customers.
Lynne Courts, CMO with FoxT, an access management software provider, explained: You can't stop determined hackers. The Nissan compromise and those that have taken place every day prior for the past several years proves this.
The questions that Nissan and every other major enterprise should be asking now is how do we stop outsiders from becoming insiders, and how do we provide protection against someone who has insider credentials?
By adding multiple layers of access and authorization controls inside of the perimeter, organizations can stop outsiders armed with insider credentials from gaining access to sensitive information, servers, applications and even desktops.
Evolved access controls mean that administrative credentials don't necessarily have to be the 'keys to the kingdom' anymore.