Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

Nissan Canada Finance Issues Data Breach Alert

1 Million Nissan and Infiniti Financing Customers' Details Potentially Exposed
Nissan Canada Finance Issues Data Breach Alert
Nissan GT-R. (Photo: Toshihiro Oimatsu, via Flickr/CC)

Nissan Canada Finance, which provides financing for vehicle buyers and leasers, is warning 1.13 million current and former customers that their personal information may have been stolen.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

NCF, headquartered in Ontario, says in a security alert that it is "a victim of a data breach that may have involved unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and Infiniti Financial Services Canada."

NCF is a subsidiary of carmaker Nissan Canada, which builds 60 models of vehcicles under the Nissan, Infiniti and Datsun brand names (see Hack My Ride). "At this time, we have no indication that Nissan or Infiniti customers in Canada who did not obtain financing through NCF are affected," it says in the notification, issued Dec. 21.

The company says it is informing customers by letter and where possible also email. Potentially exposed data includes:

  • Customer name;
  • Customer address;
  • Vehicle make and model;
  • Vehicle identification number;
  • Credit score;
  • Loan amount;
  • Monthly payment amount,

"We are still investigating exactly what personal information has been impacted," the company says in its breach notification, adding that the breach appears to be limited to Canadian customers' data. The company adds that no payment card data was compromised.

Discovery to Notification: 10 Days

NCF says it first learned of the breach on Dec. 11. Regulatory requirements aside, many information security experts say firms should try to alert victims to a breach within 30 to 60 days of the organization first learning that it may have been hacked. But many experts recommend that when organizations issue their notification, they also include actionable information for victims (see Data Breach Notifications: What's Optimal Timing?).

Excerpt from Nissan Finance Canada's data breach notification to all customers.

In the case of NCF, it says all current and former customers are being offered 12 months of prepaid credit monitoring services via data broker TransUnion. "While the precise number of customers affected by this breach is not yet known, out of abundance of caution, NCF is notifying all of its customers and is offering all customers these credit monitoring services even if their personal information was not actually affected."

The company says it has alerted Canadian privacy regulators and law enforcement agencies to the breach and that it's brought in third-party digital forensic investigators. NCF didn't immediately respond to a request for comment about who it has hired to investigate the breach.

"We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause," says Alain Ballu, NCF's president. "We are focused on supporting our customers and ensuring the security of our systems."

The company has declined to specify who might have perpetrated the breach. "NCF is working with law enforcement and leading data security experts to help rapidly investigate this matter," it says. "We are unable to comment further at this time."

Customers Call for Class-Action Lawsuit

Predictably, some Nissan customers have begun calling for anyone whose data was potentially exposed to join a class action lawsuit (see No Surprise: Ashley Madison Breach Triggers Lawsuits).

Most class-action lawsuits filed in Canada and the United States fail to reach trial. Experts say the majority of such lawsuits get dismissed by courts over plaintiffs' inability to prove that they suffered "injury," which courts have historically defined very narrowly in terms of unreimbursed financial losses. But almost all breaches that have resulted in the theft of credit card and debit card data have had any consumer losses reimbursed by card issuers.

Class-action data breach lawsuits that manage to proceed often end with breached businesses opting to settle rather than risk an outcome that finds in favor of plaintiffs and potentially sets a precedent that would enable more such lawsuits to succeed.

In the United States, with Congress having failed to pass any data breach legislation, states have taken the lead, including passing laws that require breached businesses to notify victims (see Senators Again Propose National Breach Notification Law).

State attorneys general have also taken the lead in investigating organizations' information security practices and cracking down on anyone found to have put proper security policies, procedures and practices in place (see Target Reaches $18.5 Million Breach Settlement with States).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.