Automaker Nissan Motor has issued an apology after Red Hat, the company that was developing a customer management system for its dealerships, detected a breach that exposed the data of 21,000 customers in Japan.
Red Hat detected the unauthorized access on September 26, 2025. It cut off the access and took measures to prevent re-intrusion into the server, then informed Nissan of the data breach on October 3. The automaker reported the incident to Japan’s Personal Information Protection Commission.
The data leak affected customers who have bought a vehicle or had service done at Fukuoka Nissan Motor (now called Nissan Fukuoka Sales).
The companies confirmed that the data included some customer information, including addresses, names, phone numbers, partial email addresses, and other information used for sales. Credit card information was not exposed, Nissan stated.
There’s no evidence that the leaked information has been used beyond its initial exposure, Nissan said, but warned customers that they could be the target of phishing attacks:
“At this time, there has been no confirmation that the leaked information has been used for secondary purposes. However, we ask that you be extremely cautious of any suspicious phone calls or mail you receive.”
Nissan added that the servers used by Red Hat don’t store any other customer information, “so there is no risk of further data leaks.”
How Vendors Are Becoming the Front Door for Data Breaches
The Nissan data breach reflects the growing risk of data hacks through third-party software, which often gives malicious actors an easier way to infiltrate larger organizations. Companies depend on outside vendors for things like customer management, payment processing, cloud storage, and analytics, and if even one of those services has a security gap, a significant amount of sensitive data can be exposed.
Hackers tend to go after these vendors because they may have weaker protections, outdated software, or too much access to internal systems. Once attackers get in, they can use shared logins, access tokens, or integrations to pull customer data directly or access core systems, turning third-party tools into a common and ongoing security risk.
Nissan acknowledged the need to strengthen security controls and oversight across third-party software and vendor systems that handle customer data.
“Nissan takes this incident very seriously and will strengthen its monitoring of its subcontractors and take further steps to strengthen information security. We would like to once again offer our deepest apologies to our customers for any inconvenience caused.”
The Nissan data breach is not the only security issue Red Hat has been dealing with in recent months. In October, shortly after it detected the Nissan leak, the vendor confirmed that there had been unauthorized access to a GitLab instance its consulting team used for certain client engagements. Red Hat stated:
“Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”
A hacker group calling itself the Crimson Collective publicly claimed responsibility, alleging that it stole nearly 570GB of data, including content from over 28,000 internal repositories and 800 Customer Engagement Reports (CERs) that spanning from 2020 to 2025, according to an alert issued by Financial Industry Regulatory Authority (Finra).
The compromised GitLab instance held consulting engagement data, such as Red Hat’s project specifications, example code snippets, internal communications about consulting services and limited business contact information, Red Hat said.
The vendor implemented “additional hardening measures designed to help prevent further access and contain the issue.”
“At this time, we have no reason to believe this security issue impacts any of our other Red Hat services or products, including our software supply chain or downloading Red Hat software from official channels.”
That incident was separate from a vulnerability that the vendor announced the previous day in its Openshift AI Service. That enabled a low-privileged attacker with access to an authenticated account to increase their privileges to a full cluster administrator, which would allow them to steal sensitive data, disrupt all services and take control of the underlying infrastructure. That could lead to a total breach of the platform and all applications hosted on it.
Nissan has also been exposed to other security breaches recently. Earlier this month, the INC Ransom hacking group claimed to have breached Japanese automotive supplier Yazaki Group and stolen 350GB of data, including confidential documents, client data, NDAs and more related to major automakers such as Nissan, BMW and Scania. And in August, Nissan Japan confirmed a data breach through unauthorized access to its Creative Box vehicle design subsidiary, which had been claimed by the Qilin Ransomware group.
The incidents underscore that safeguarding customer trust now depends as much on securing third-party partners and systems as it does on protecting internal infrastructure.
