Nissan NZ hit by cyberattack, Collins weighs in on the ‘Should be illegal to pay a cyber-ransom?’ debate

Nissan says hackers have hit its New Zealand and Australian operation.

It is still trying to gauge the extent of the attack, including whether customers’ personal information has been accessed.

The Japanese carmaker says it’s working with authorities, including the GCSB’s National Cyber Security Centre (NCSC).

In the meantime, customers have been told to closely monitor their accounts.

Nissan’s notification was first reported by specialist security sites around 4am this morning NZT.

‘Be vigilant’

“The Australian and New Zealand Nissan Corporation and Financial Services (“Nissan”) advises that its systems have been subject to a cyber incident,” Nissan’s alert reads.

“Nissan is working with its global incident response team and relevant stakeholders to investigate the extent of the incident and whether any personal information has been accessed. Nissan has also notified the Australian Cyber Security Centre and the New Zealand National Cyber Security Centre.

“While the extent of the incident is still under investigation, Nissan encourages its customers to be vigilant across their accounts, including looking out for any unusual or scam activities.”

Nissan said it was working to restore its systems as soon as possible. The issue did not affect the Nissan Dealer Network, so dealers could still handle all vehicle and servicing queries.

The Herald is seeking comment from Nissan.

The attack on the carmaker comes on the heels of a cyberattack on Auckland Transport systems that rendered bus, train and ferry swipe cards inoperable for the best part of a week as a ransomware gang called Medusa demanded US$1 million.

“Ransomware and other financially motivated attacks are certainly not slowing down,” Brett Callow, a threat analyst with NZ-based global security firm Emsisoft told the Herald this morning.

“We need new strategies to deal with the problem, as our current ones are very clearly not working.

“In particular, governments need to consider banning the payment of ransoms, or at least limiting the circumstances in which they can be paid. This is likely the only way to bring the situation under control.”

The warning posted to Nissan NZ's website this morning.

The Labour-led Government rejected a ban on paying a cyber ransom, saying it would criminalise victims - although it did put a ban on Crown agencies paying a ransom. And it also noted the quirk that paying a ransom to a hacker based in Russia would breach sanctions imposed after the invasion of Ukraine, which risks a $100,000 fine for individuals and a $1 million fine for organisations.

This morning, new Attorney-General and Technology Minister Judith Collins took a similar approach.

“The New Zealand Government strongly discourages the payment of ransoms to cybercriminals, and urges all victims to report any cyber ransom incidents to the relevant agencies, regardless of whether a ransom is paid,” Collins told the Herald.

“In April 2023, Cabinet agreed that government agencies do not pay cyber ransoms.”

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.