
Nissan Finance Canada Suffers a Data Breach - rishabhd
https://www.nissancanadafinance.ca/securitynotice
======
graystevens
Another breach. Credit where credit is due, they haven’t done too badly with
the announcement, but there are some key facts that people would like to know
that they unfortunately haven’t mentioned.

* They became aware of it Dec 11th – do they have an estimate of when this occurred?

* They mention what types of information has likely been affected, yet for some reason they mention “no payment details have been breached” right at the end of the Q&A? I’d have expected that to be much higher up the announcement.

* Not needed in the general announcement, but knowing how is always a point of interest (that may just be me, being in the business) – third party? SQLi? etc.

* How did they become aware of this? Did they discover this internally? Or did an outsider give them the heads up.

I’d like to think that one day, that last question can be answered by my
startup[0], detecting breaches with a high degree of confidence with
pseudo/honey users.

[0] [https://breachinsider.com](https://breachinsider.com)

------
singingboyo
> customer name, address, vehicle make and model, vehicle identification
> number (VIN), credit score, loan amount and monthly payment

If that turns out to really be the only affected info, does this actually have
identity theft implications? It compromises access to NCF accounts, I suppose,
but while there's some info that would normally be private (loan amounts,
credit score), I don't see any truly sensitive info here. Notably, no SIN,
work info, income amounts, or other things you'd expect on a credit
application.

Basically, as of now it looks like the post-approval payment tracking system
got breached, not the actual approval system.

------
deepnotderp
Any idea what could possibly help prevent these sorts of things in the future?
Could some runtime encryption like Intel SGX or Fortanix help?

(Disclaimer: no ownership in either)

~~~
privacypoller
IMO the answer is not technical but legislated responsibility and appropriate
penalties. If there was any sort of downside to collecting and insecurely
storing all this data the problem would be self-correcting

~~~
QAPereo
Put a statutory value on info, and a huge breach bankrupts you, so you seek
insurance. The insurers want money, not risk, so they due the living hell out
of your diligence. As you said, if it’s done right it’s self-correcting.

BUT... do it wrong and business will adapt in malignant ways, like folding and
restarting, or spinning off the liability.

~~~
deepnotderp
Inb4 "data default swaps".

------
doublethedee
Judging from the data that was released, it looks like their credit
origination system was compromised.

------
Sgt_Apone
Over 1.1 Million possibly affected and they dump this just before the holidays
when people are not paying attention. It's beyond time there were actual
penalties for this kind negligence.

~~~
JSONwebtoken
Yes, let's wait until after the holidays so at least 1 month has passed before
we publicize the breach, that will surely get the consumers to understand
where we're coming from.

I would like to hire you as VP of Public Relations for my company.

