Nissan Oceania

Summary

Nissan Oceania was impacted by a data breach at OracleCMS, the external supplier contracted to manage their dedicated cyber incident call centre. This represented a "second breach" for Nissan customers, as the call centre was established to respond to a December 2023 breach affecting up to 100,000 Nissan customers.

Attack Vector

On April 15, 2024, OracleCMS was alerted to a breach of its systems. Nissan became aware on April 18, 2024 that OracleCMS had been impacted by its own data breach affecting several clients. The compromised data was subsequently published on the dark web alongside data from Australian local councils and other OracleCMS clients.

Consumer Impact

The breach exposed customer names, contact details, dates of birth, and summary descriptions of information contained in Nissan's cyber incident notification letters. While no identity documents, copies of documents, or ID numbers were affected, the incident compounded privacy concerns for customers already impacted by the December 2023 Nissan breach who had provided information to the incident response call centre.

Response

In response to the OracleCMS breach, Nissan offered support measures including free credit monitoring via Equifax in Australia and Centrix in New Zealand, access to IDCARE's services, and reimbursement for replacement of compromised identity documents. The incident highlights the cascading risks of third-party breaches in incident response supply chains.