1 Million Nissan and Infiniti Financing Customers’ Details Potentially Exposed
Nissan Canada Finance, which provides financing for vehicle buyers and leasers, is warning 1.13 million current and former customers that their personal information may have been stolen.
See Also: How to Scale Your Vendor Risk Management Program
NCF, headquartered in Ontario, says in a security alert that it is “a victim of a data breach that may have involved unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and Infiniti Financial Services Canada.”
NCF is a subsidiary of carmaker Nissan Canada, which builds 60 models of vehcicles under the Nissan, Infiniti and Datsun brand names (see Hack My Ride). “At this time, we have no indication that Nissan or Infiniti customers in Canada who did not obtain financing through NCF are affected,” it says in the notification, issued Dec. 21.
The company says it is informing customers by letter and where possible also email. Potentially exposed data includes:
- customer name
- customer address
- vehicle make and model
- vehicle identification number (VIN)
- credit score
- loan amount
- monthly payment amount
“We are still investigating exactly what personal information has been impacted,” the company says in its breach notification, adding that the breach appears to be limited to Canadian customers’ data only. The company adds that no payment card data was compromised.
Discovery to Notification: 10 Days
NCF says it first learned of the breach on Dec. 11. Regulatory requirements aside, many information security experts say firms should try to alert victims to a breach within 30 to 60 days of the organization first learning that it may have been hacked. But many experts recommend that when organizations issue their notification, they also include actionable information for victims (see Data Breach Notifications: What’s Optimal Timing?).
In the case of NCF, it says all current and former customers are being offered 12 months of prepaid credit monitoring services via data broker TransUnion. “While the precise number of customers affected by this breach is not yet known, out of abundance of caution, NCF is notifying all of its customers and is offering all customers these credit monitoring services even if their personal information was not actually affected.”
The company says it has alerted Canadian privacy regulators and law enforcement agencies to the breach and that it’s brought in third-party digital forensic investigators. NCF didn’t immediately respond to a request for comment about who it has hired to investigate the breach.
“We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause,” says Alain Ballu, NCF’s president. “We are focused on supporting our customers and ensuring the security of our systems.”
The company has declined to specify who might have perpetrated the breach. “NCF is working with law enforcement and leading data security experts to help rapidly investigate this matter,” it says. “We are unable to comment further at this time.”
Customers Call for Class-Action Lawsuit
Predictably, some Nissan customers have begun calling for anyone whose data was potentially exposed to join a class action lawsuit (see No Surprise: Ashley Madison Breach Triggers Lawsuits).
Fazan, we’re sorry for any frustration this may have caused. We have a dedicated website for our customers with information related to the data security incident. For more details, please visit https://t.co/L5oV3QbY9b or call 1-877-224-4711.
— Nissan Canada (@nissancanada) December 22, 2017
Most class-action lawsuits filed in Canada and the United States fail to reach trial. Experts say the majority of such lawsuits get dismissed by courts over plaintiffs’ inability to prove that they suffered “injury,” which courts have historically defined very narrowly in terms of unreimbursed financial losses. But almost all breaches to date that have resulted in the theft of credit card and debit card data have been reimbursed by card issuers.
Class-action data breach lawsuits that manage to proceed often end with breached businesses opting to settle rather than risk an outcome that finds in favor of plaintiffs and potentially sets a precedent that would enable more such lawsuits to succeed in the future.
In the United States, with Congress having failed to pass any data breach legislation, states have taken the lead, including passing laws that required breached businesses to notify victims (see Senators Again Propose National Breach Notification Law).
State attorneys general have also taken the lead in investigating organizations’ information security practices and cracking down on anyone found to have put proper security policies, procedures and practices in place (see Target Reaches $18.5 Million Breach Settlement with States).