Home > Consumer Information > Privacy, Identity Theft and Data Security Breaches > Data Breach Notifications
Data Breach Notifications
Entity Information
- Type of Organization: Other Commercial
- Entity Name: Nissan North America, Inc. (“NNA”)
- Street Address: One Nissan Way
- City: Franklin
- State, or Country if outside the US: Tennessee
- Zip Code: 37067
Submitted By
- Name: Kathryn Walker
- Title: Member
- Firm name (if different than entity): Bass Berry & Sims
- Telephone Number: 615-742-7855
- Email Address: kwalker@bassbery.com
- Relationship to entity whose information was compromised: Attorney
Breach Information
- Total number of persons affected (including residents): 53038
- Total number of Maine residents affected: 9
- If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
- Date(s) Breach Occured: 11/07/2023
- Date Breach Discovered: 02/28/2024
- Description of the Breach:
- External system breach (hacking)
- Information Acquired - Name or other personal identifier in combination with: Social Security Number
Notification and Protection Services
- Type of Notification: Written
- Date(s) of consumer notification: 05/15/2024
- Copy of notice to affected Maine residents: NNA Sample Incident Notice.pdf
- Date of any previous (within 12 months) breach notifications:
- Were identity theft protection services offered: Yes
- If yes, please provide the duration, the provider of the service and a brief description of the service: On November 7, 2023, NNA learned it was the victim of a targeted attack against its external VPN when a criminal threat actor deliberately shut down certain NNA systems and demanded a ransom. Immediately upon discovering the criminal attack, NNA (working very closely with external cybersecurity professionals experienced in handling these types of complex security incidents) investigated, contained, and successfully terminated the threat. NNA promptly notified law enforcement of the data incident. On December 5, 2023, NNA notified all current employees of the incident, the possibility that certain employee personal information could have been accessed and that NNA would notify impacted individuals pending investigation. Through its investigation into the scope and cause of the incident, NNA learned the criminal threat actor accessed data from a number of NNA’s local and network shares but did not encrypt any data or render any of NNA’s systems inoperable. NNA conducted a thorough analysis of the potentially accessed data and throughout its forensic review found that nearly all implicated data was business information and did not contain Personal Information. However, on or about February 28, 2024, NNA identified certain personal information in the data primarily relating to current and former NNA employees including Social Security numbers. At this time, NNA has no indication that any information has been misused or was the attack's intended target. Since the attack, NNA has taken several steps to strengthen its security environment, including an enterprise-wide password reset, implementation of Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access. NNA is currently reviewing its security processes and procedures for additional recommended remediation and protection efforts. Although NNA is not aware of any instances of fraud or identity theft resulting from this incident, it is providing affected residents, at no charge, with access to Experian’s IdentityWorks services for 24 months from the date of enrollment. NNA is also providing proactive fraud assistance to help with any questions that affected residents might have or in the event that they become a victim of fraud.
