Nissan Motor Co. reported on Monday that the personal data of approximately 21,000 customers had been exposed as a result of a data breach at Red Hat. This breach was discovered back in September. Red Hat is responsible for developing and hosting customer management systems for Nissan’s sales companies.
According to Nissan, the company was notified by Red Hat that unauthorized persons had gained access to the American software supplier’s data servers. In doing so, attackers stole data. It later emerged that the leaked dataset also contained customer information from Nissan Fukuoka Sales. This is a regional sales organization in Japan. It concerns customers who have purchased a vehicle or had maintenance carried out in the Fukuoka region in the past.
The leaked information includes full names, physical addresses, telephone numbers, email addresses, and additional customer data used for sales and marketing purposes. According to Nissan, financial data, such as credit card information, was not part of the incident. The company states that the affected Red Hat environment did not contain any customer data other than the information that is now known. There are no indications of misuse of the information.
ShinyHunters attacked Red Hat
The data breach at Red Hat was made public in early October. It involved the theft of hundreds of gigabytes of sensitive data from approximately 28,000 private GitLab repositories. The attack was initially claimed by the Crimson Collective threat group. Later, the well-known cybercriminal group ShinyHunters published examples of the stolen data on its own extortion platform, further increasing the pressure on Red Hat.
Nissan emphasizes that, after receiving the report from Red Hat, it immediately notified the Japanese data protection regulator and that affected customers were informed directly. At the same time, the company acknowledges that the incident raises questions about the security of outsourced IT environments and says it is taking additional measures to strengthen its oversight of external suppliers.
BleepingComputer asked Nissan Japan, Nissan Europe, and Nissan Americas for additional comment. There was no response. The incident at Red Hat marks the second cybersecurity issue for Nissan Japan this year, following a ransomware attack by the Qilin group in late August that affected its subsidiary Creative Box.
Internationally, Nissan has also faced multiple data breaches in recent years. In 2024, the data of approximately 53,000 employees was exposed at Nissan North America, while Nissan Oceania previously reported that an Akira ransomware attack had compromised the data of approximately 100,000 customers.