Nissan Motor Co. Ltd. confirmed that approximately 21,000 customers of Nissan Fukuoka Sales Co., Ltd., in Fukuoka, Japan, had personal data exposed in a September Red Hat breach through unauthorized access to data servers.
The Japanese multinational automobile manufacturer, headquartered in Yokohama, Japan, produces more than 3.2 million cars annually and employs 120,000 people. Nissan maintains operations across Japan, North America, Europe, and Asia. The company disclosed its indirect involvement in the Red Hat security incident, which stemmed from Red Hat’s role in developing customer management systems for Nissan’s sales companies.
In its announcement, Nissan stated: “Nissan Motor Co., Ltd. received a report from Red Hat, the company it commissioned to develop customer management systems for its sales companies, that unauthorized access to its data servers had resulted in the data being leaked. It was later confirmed that the data leaked by the company contained some customer information from Nissan Fukuoka Sales Co., Ltd.”
The affected customers, who had purchased vehicles or received services at Nissan locations in Fukuoka, numbered around 21,000. Their leaked information encompassed the following details:
- Full names of individuals associated with the purchases or services.
- Physical addresses linked to customer records in the sales operations.
- Phone numbers provided during vehicle transactions or service visits.
- Email addresses used for communications related to Nissan dealings in Fukuoka.
- Customer data used in sales operations, including records maintained for business purposes by Nissan Fukuoka Sales Co., Ltd.
Nissan specified that no financial information, such as credit card details, appeared in the leaked data.
Red Hat, a U.S.-based enterprise software company, disclosed the breach in early October 2025. The incident involved the theft of hundreds of gigabytes of sensitive data from 28,000 private GitLab repositories. The Crimson Collective threat actor initially claimed responsibility for the hack. Subsequently, the ShinyHunters group hosted samples of the stolen data on their extortion platform, exerting direct pressure on Red Hat.
Nissan emphasized that the compromised Red Hat environment held no additional Nissan-related data beyond the confirmed customer information from Fukuoka. The company reported no evidence indicating misuse of the leaked data to date.
This event represents the second cybersecurity incident for Nissan Japan in 2025. In late August, a Qilin ransomware attack targeted the company’s design subsidiary, Creative Box Inc. (CBI). In the prior year, Nissan North America experienced a data breach affecting 53,000 employees. Separately, Nissan Oceania disclosed an Akira ransomware attack that exposed data belonging to 100,000 customers.
