OracleCMS breach exposes Nissan customer data in Australia, New Zealand
KANAGAWA, JAPAN — Nissan Oceania, Nissan’s regional operations in Australia and New Zealand, revealed that the call centre it contracted to handle customer inquiries following a cyber incident late last year has been breached.
The carmaker had enlisted OracleCMS to manage the “dedicated cyber incident call center” after a December 5 breach that impacted up to 100,000 customers.
Double breach impact
OracleCMS, primarily serving local councils, was breached last month, and Nissan has now confirmed its exposure to this breach.
The carmaker expressed disappointment, stating, “Unfortunately, some Nissan customer, staff, and other stakeholder information, which OracleCMS held on its systems to be able to answer incoming queries, was compromised during the incident.”
The compromised data includes names, contact details, dates of birth, and a summary description of the information in the Nissan cyber incident notification letters. However, no identity documents, copies of documents, or ID numbers were affected.
In a separate letter, Nissan elaborated, “This means that, for individuals affected by both the Nissan breach and subsequent OracleCMS breach: their personal information was unlawfully accessed from Nissan’s IT servers on December 5, 2023; and a summary description of the personal information that was compromised in the December incident was also published on the dark web as a result of the OracleCMS data breach.”
Ongoing support and protection
Nissan emphasized its commitment to protecting and supporting affected individuals, stating that it is doing everything it can to protect and support every person who interacts with it and its suppliers.
The company added that the “majority” of notifications for the original breach had now been sent to customers.
OracleCMS response
OracleCMS’ most recent update indicates it is “at an advanced stage” of a “comprehensive overview of all potentially impacted data.”
The company confirmed that some of its data was accessed and published online, with a ransomware threat group claiming responsibility for the attack.
OracleCMS assured that the incident had been “contained” and that “an external vulnerability assessment and penetration test found no critical, high, medium, or low vulnerabilities of … in-scope external-facing systems,” though it provided no additional details of this exercise.
