IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Misconfigured Git servers lead to Nissan data leak

Leak stemmed from Nissan using of default “admin” password

Nissan sign on a background of the sky

Swiss-based software engineer and security researcher Tillie Kottmann has discovered the source code for Nissan North America’s internal mobile apps and tools on a misconfigured Git server.

Kottmann said in a tweet he’d found a “complete dump” of all Git repositories from Nissan NA. The dump included sources for the Nissan NA mobile apps, some parts of the ASIST diagnostics tool, and the dealer business systems and portal.

The researcher also found details on Nissan’s internal core mobile library, NCAR/ICAR services, client acquisition and retention tools, sale/market research tools and data, various marketing tools, and vehicle logistics portal.

The leak stemmed from a Git server that was left visible online with its default username and password combo of “admin.” Nissan is probing the leak, and the Git server was taken offline after the data started disseminating on Monday via Telegram channels and hacking forums.

The security researchers who uncovered the misconfigurations received a tip about Nissan's Git server after they found a similarly misconfigured GitLab server in May 2019.

Martin Jartelius, CSO at Outpost24, told ITPro that it’s a basic security control to change the vendor default passwords when deploying a system. 

“From the nature of the content, this should be a production system and reviewed prior to having the source code uploaded. This basic control forms part of most organizations ISMS standards, i.e., ISO27001 policies and regulations internally. As Nissan Japan had their 9001 certificate revoked in 2017 by authorities it is not the first time the successful implementation of good plans and strategies has not reached all the way to execution in the large organization,” Jartelius said.

Mark Bower, SVP at comforte AG, told ITPro that this leak was a "classic example of the security being only as good as the weakest link".

"Most likely, in this case, [this is] down to both human error and lack of process for risk scanning of critical infrastructure for vulnerable credentials and effective data security,” Bower said. "The recent Solarwinds situation should have prompted organisations across the industry to revisit their supply chain security, data security and authentication as a matter of priority – including any internet-facing or cloud components."

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Just enough data governance
Whitepaper

Just enough data governance

22 Sep 2022
Block accused of woefully mishandling data breach affecting 8.2 million users
Business operations

Block accused of woefully mishandling data breach affecting 8.2 million users

25 Aug 2022
Legal challenge for Sadiq Khan over ANPR expansion, Met access to data
data processing

Legal challenge for Sadiq Khan over ANPR expansion, Met access to data

3 Aug 2022
DataGrail hires former Shopify VP Cathy Polinsky as CTO
Business strategy

DataGrail hires former Shopify VP Cathy Polinsky as CTO

27 Jul 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022