Nissan isn’t willing to pay a ransom to the ransomware gang Everest, so the threat actor is upping the stakes. It has posted new details about the breach on its dark web site, and has even included the negotiation log between the hackers and the company.
As early as January, the ransomware gang Everest threatened to leak 900GB of Nissan’s internal data unless the auto manufacturer paid a ransom. Back then, the threat actor gave the company 5 days to pay up.
Nissan didn’t, apparently. That’s why Everest has probably decided to disclose quite a few details about the breach and the negotiations with Nissan, additionally leaking chunks of stolen data.
Claims to have 900GB of Nissan data
For example, Everest claims that the dataset includes “daily full dumps of the customer database over 6 years,” auto loan data from Nissan Financial Services, repair orders, dealer employee data, wholesale invoices, and business reports.
The data breach may have netted Everest 900GB of Nissan’s data. The hackers managed to compromise GCSSD Apps (Global Customer Service & Sales Data) FTP servers that served the Nissan and Infiniti dealer network in North America.
According to the gang, server credentials – 8 unique login and password pairs – have been publicly available in breach databases since September 2023.
Everest allegedly found them across more than 30 separate breach compilations.
“Passwords were not changed for at least 3 years. Multi-factor authentication was absent,” it claimed.
This could be interpreted as an attempt to show that Nissan doesn’t really care about data security, and that it’s being punished by the leak and possible legal consequences.
For instance, in its post on the dark web, Everest takes care to highlight the fact that this isn’t Nissan’s first public cyber incident, claiming that the root cause has always been identical: exposed credentials on internet-facing systems.
Follow us
The gang also warns that Nissan has missed all customer notification deadlines – never mind that Everest actually breached a third-party vendor. It also claims: “A class action is virtually inevitable.”
We’ve reached out to Nissan for comment and will update this article if or when the company replies.
Post reeks of desperation
But the long post also reeks of desperation. It looks like Everest is furious that Nissan hasn’t agreed to pay a ransom but is still hopeful that this sort of public shaming will push the company to do so.
For all the bragging about the stolen dataset, Everest has just posted a link to a password-protected folder that allegedly contains the data, claiming that the password will be released in a couple of days.
“It does look desperate from Everest. They normally just post a list of what they allegedly have, a selection of photo samples, and that’s it,” Cybernews researchers agree.
Besides, judging from the content of the posted negotiation log between Everest and Nissan, it’s obvious the gang is almost frantically trying to make the company realize that not paying the ransom would end up costing more.
In mid-March, Everest sent a message to an alleged representative of Nissan: “Let’s be clear: we’re holding 2.5 million people’s personal data and 900GB of your corporate data.”
“If this leaks, more than 2.5 million lawsuits won’t cost you [undisclosed amount of money]. They’ll cost you billions. Your partners will see exactly how you handle sensitive information,” the gang warned.
Everest is now threatening to release all data on April 3rd, including all customer personal data, which has so far been redacted.
And after the representative of Nissan told them a few times that the management was still discussing what to do, Everest snapped: “The board can move fast when it wants to. It moved fast when you settled the employee lawsuit for $1.5 million. It moved fast when you announced the Uber deal.”
“We’ve been dealing with the same person for two months. Every time we hear that ‘management is discussing.’”
“The negotiations look super extensive. They took a couple of months, went nowhere, and it makes us think that Everest just lost their temper,” our researchers continued.
Everest is now threatening to release all data on April 3rd, including all customer personal data, which has so far been redacted.
For good measure, Everest is also sending a message to Uber, Wayve, and Nvidia – companies that have recently teamed up with Nissan to launch AI-powered robotaxis: “We believe you have the right to know what kind of partner you signed with.”
Unlock more exclusive Cybernews content on YouTube.
