Nissan Oceania has revealed the call centre it set up to handle customer inquiries after a cyber incident late last year has itself been breached.
The car maker said it enlisted OracleCMS to manage the “dedicated cyber incident call centre” it set up after a December 5 breach that impacted up to 100,000 customers.
However, OracleCMS was breached last month - and while most of its customers to date had been local councils, Nissan has now conceded it is exposed to that breach as well.
Owing to the circumstances in which it engaged OracleCMS, Nissan said this was “especially disappointing given people have already had their personal information compromised" once.
“Unfortunately, some Nissan customer, staff and other stakeholder information, which OracleCMS held on its systems to be able to answer incoming queries, was compromised during the incident,” the car maker said.
“That dataset includes names, contact details, dates of birth and a summary description of the information in the Nissan cyber incident notification letters.
“No identity documents, copies of documents or ID numbers were affected.”
In a separate letter [pdf], it added: "This means that, for individuals affected by both the Nissan breach and subsequent OracleCMS breach: their personal information was unlawfully accessed from Nissan’s IT servers on December 5 2023; and a summary description of the personal information that was compromised in the December incident was also published on the dark web as a result of the OracleCMS data breach."
Nissan said it is “doing everything we can to protect and support every person who interacts with us and our suppliers.”
It added that the “majority” of notifications for the original breach had now been sent to customers.
OracleCMS’ most recent update - which is undated - suggests it is “at an advanced stage” of a “comprehensive overview of all potentially impacted data”.
It said that some of its data was accessed and published online - a ransomware threat group has claimed responsibility for the attack.
OracleCMS added that the incident had been “contained” and that “an external vulnerability assessment and penetration test found no critical, high, medium or low vulnerabilities of … in-scope external-facing systems”, though it provided no additional detail of this exercise.