Nissan America Gitcimpanuzdnet – Nissan confirms that source code of its North America mobile apps and internal tools was leaked online after the company misconfigured one of its Git servers.
In a blog post made on October 5, 2017, the car-maker announced that “an unauthorised party [had] obtained and published confidential information including source code for our North American business apps and internal tools.
Nissan pointed out that no personal information for drivers or passengers has been shared or exposed as a result of this incident, neither was access gained to its infotainment system, NissanConnect.
Source code is the blueprint which software is written in and is normally kept secure. But it seems in this case, it was not.
The car-maker said that the leak mainly affected its “mobile applications for internal use by our employees”.
The leaked source code and tools included databases, file system details, and details related to “mobile application source code in various stages of development”.
It is not known how the source code and tools were leaked, but Nissan believes it may have happened as a result of “a misconfigured Git server that was accessible globally on the internet”.
To verify, Nissan then contacted GitHub to check if a malicious or suspicious branch had been created.
GitHub is a web-based repository and Internet hosting service operated by GitHub, Inc. which hosts source code, that is primarily used for software development and storage. To verify the findings of its investigations, the car-maker contacted GitHub to check if a malicious or suspicious branch had been created.
And indeed one had been.
The branch contained the internal apps’ source code. It was then changed to prevent any further leak of information from happening, taken down and secured. Nissan also contacted law enforcement agencies to report the incident and keep them informed of the steps it had taken.
Nissan Chief Executive Hiroto Saikawa said: “We are deeply sorry for this incident. We are determined to work closely with our partners, such as GitHub, to ensure such incidents will not happen again.”
Shortly after this incident, on October 14, 2017 Nissan filed a civil lawsuit against unknown individuals or entities for stealing the company’s sensitive documents.
As part of its investigation, Nissan is also collaborating with leading cybersecurity authorities, law enforcement and private investigators.
However, Nissan has not named the hackers or said what was stolen from its website. But it did confirm that the data leaked was not personal information.
The company also confirmed that it has already notified law enforcement and it is working alongside them to investigate the incident further.
Nissan said it is still in the process of confirming how much data was stolen and how it was taken.
“We continue to investigate the extent of this incident, as well as to examine our network environment and confidentiality measures,” Saikawa said.
“To date, we have not discovered any incident that resulted in unauthorized access to personally identifiable information or sensitive driving data.” said Nissan’s spokesperson, Sarah Doll.
The company did not, however, confirm when the breach occurred.
“Nissan is working with its outside attorneys to determine appropriate next steps. We are also working with the proper authorities in both Canada and the U.S., as well as with law enforcement.” Doll added.
The car-maker will also be releasing security updates for its apps and internal tools to ensure that no further leaks will happen in the future.