Nissan says alleged data breach linked to third-party vendor, not internal systems

Nissan Motor Co., a Japan-based global automaker, said claims of a recent data breach are tied to a cyber incident involving a third-party vendor and do not affect its internal systems or customer data, following assertions from a hacking group that it had stolen a large volume of information.

A company spokesperson confirmed awareness of a cybersecurity incident earlier this year that impacted an external service provider supporting Nissan and Infiniti dealerships in North America. The spokesperson said an internal review found the issue was contained to the vendor’s environment and limited to information shared with that provider.

The Everest hacking group has claimed responsibility for the breach, stating it accessed a file transfer system used by the vendor and obtained approximately 910 gigabytes of data. The group alleges the data includes customer records, dealership information and loan-related details tied to vehicle purchases.

Nissan said there is no evidence its own systems were compromised or that customer information held directly by the company was accessed or placed at risk. The automaker added that it is working with the vendor as it continues its investigation into the incident.

Everest has stated the breach occurred in January and said it attempted to extort payment in exchange for not releasing the data. The group has continued to threaten publication of the material while making additional claims about failed negotiations. The extent and authenticity of the allegedly stolen data have not been verified.

Nissan has faced multiple cybersecurity incidents in recent years. Data breaches disclosed in 2022 and 2023 exposed information belonging to more than 75,000 individuals. In 2024, a separate cyberattack affected approximately 100,000 customers and employees in Australia and New Zealand. The company remains one of the world’s largest automakers, reporting net sales of $79 billion in 2024.