According to a company statement
, Andy Palmer, Executive Vice President of Nissan, said, "We have detected an intrusion into our company's global information systems network. On April 13, 2012, our information security team confirmed the presence of a computer virus on our network and immediately took aggressive actions to protect the company's systems and data."
Palmer noted protection of the company's systems and data was a priority and the company took "aggressive" actions to safeguard customer, employee and partner information. Crediting the company's quick action, Palmer said Nissan believes its systems are secure and no one's personal information has been compromised.
Nissan does say, however, they believe user IDs and passwords were compromised, but have no evidence these authentications were used for illicit purposes. The company indicates its intention to continue to be proactive in light of this recent exploit.
"Due to the ever-evolving sophistication and tenacity of hackers targeting corporations and governments on a daily basis, we continue to vigilantly maintain our protection and detection systems and related countermeasures to keep ahead of emerging threats. Our focus remains on safeguarding the integrity of employee, consumer and corporate information," Palmer said.
Why the delay?
The Wall Street Journal
reported Nissan's CIO David Reuter said the company opted to wait because “we were pulling the drawbridge up. We didn’t want to let the world know that there was an intrusion and didn’t want them to attack it.”
It was said since no sensitive data was exposed by the malware exploit, there was not a legal obligation to report the incident, reported WSJ.
At this time Nissan does not know who was behind the attack. “We do know the I.P. addresses but it really does not tell you a whole lot,” the New York Times
reported Reuter said. “Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”
Corporate hacking is a growing issue with leaders becoming increasingly unnerved at the thought their company's networks might be exploited, enough where some are saying to take sensitive data offline
, which in theory perhaps makes logical sense. Certain customer, employee and partner information is not needed to be consistently online and shared in order to conduct business. Why put it at risk?
However, with the dependency on automated systems, is it realistic companies will do it? As technology increases efficiency to centralize, organize and accelerate sharing of data, many companies actively rely on networked systems. As a result, convenience and cost-savings generally win almost every time. All too many may not consider the high costs associated with data breaches
until it is too late.
“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached,” Shawn Henry, the F.B.I.’s top former cyber cop who recently joined the cybersecurity start-up CrowdStrike
, said in an interview with the New York Times. “I’ve seen behind the curtain. I’ve been in all the briefings. I can’t go into the particulars because it’s classified, but the vast majority of companies have been breached.”
In this case, seemingly fortunately Nissan caught the problem quickly and hopefully no serious damage has been done, but this incident is a reminder that any organization can be targeted at any time. Vigilance is key, and as Henry notes, corporate breaches are becoming more common