"Nissan Infosec Under Scrutiny: Breach Affects Over 50K US Employees!"

Nissan's information security is once again under scrutiny following a breach that impacted over 50,000 employees in the United States.

Nissan has acknowledged another data breach, this time involving the theft of personal information belonging to more than 50,000 Nissan employees.

According to Nissan's disclosure, filed with the US state of Maine, the breach occurred in November 2023 through a targeted cyber attack. The incident involved a criminal threat actor compromising Nissan's external VPN, shutting down certain Nissan systems, and demanding payment.

The disclosure states that 53,038 Nissan employees in the US had their social security numbers stolen. Initially, Nissan believed only business information had been compromised, but by late February, it became apparent that employees' SSNs were also accessed by the attackers.

Nissan stated that there is no indication that the employee data was specifically targeted by the criminals, nor has it been misused thus far.

Since the attack, Nissan North America (NNA) has implemented several measures to bolster its security, including an enterprise-wide password reset, Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access, as reported to the state of Maine.

Additionally, Nissan disclosed in March that its Oceania division's systems were compromised by the Akira ransomware gang, resulting in the theft of personal information belonging to over 100,000 customers.

The Akira attack on Nissan Oceania occurred in December 2023. It remains unclear whether there is any connection between the breaches in Oceania and North America. Nissan has been contacted for further clarification.

1. FTC's Warning on Privacy Risks with Connected Car Tech: The United States Federal Trade Commission (FTC) has issued a notice highlighting its vigilance regarding potential privacy violations associated with connected car technology. The FTC emphasized the risks, including the potential for stalking, impact on insurance rates, and threats to consumer safety and national security. Recent actions against companies like X-Mode, Rite Aid, and Cerebral serve as warnings that the FTC will take action against illegal collection, use, and disclosure of personal data. Automakers are urged to prioritize consumer data protection and implement safeguards to prevent privacy breaches.

2. Cisco Talos Explores macOS Security Challenges: Cisco Talos, a security research team, faced challenges in conducting fuzzing, a technique used to uncover vulnerabilities, on macOS due to its closed-source nature. However, they developed a snapshot-based approach that allows targeted fuzz testing of macOS kernel components. By taking snapshots of macOS executing a program, recording system processes, and running fuzzing tests iteratively, they can pinpoint vulnerabilities in macOS without custom harnesses. This method enables precise fuzz testing even on commodity CPUs, facilitating scalable security testing on macOS systems.