Executive Summary

Nissan Motor Co., Ltd. has confirmed that approximately 21,000 customers of Nissan Fukuoka Sales Co., Ltd. were affected by a data breach resulting from a security incident at its third-party vendor, Red Hat. The breach, first detected by Red Hat on September 26, 2025, involved unauthorized access to a self-managed GitLab instance used by Red Hat Consulting. The threat actor, known as the Crimson Collective, exfiltrated sensitive customer data, including full names, physical addresses, phone numbers, email addresses, and sales-related information. No financial or payment data was exposed. Nissan was notified of the breach on October 3, 2025, and promptly reported the incident to the Personal Information Protection Commission. There is currently no evidence that the compromised data has been misused or sold on underground markets. The incident highlights the risks associated with third-party vendor relationships, particularly in the automotive sector, and underscores the importance of robust vendor risk management and incident response protocols. All information in this summary is directly supported by primary, independently corroborated sources, including BleepingComputer, CybersecurityNews, and FINRA (BleepingComputer, CybersecurityNews, FINRA).

Technical Information

The breach originated from a compromise of a self-managed GitLab instance operated by Red Hat Consulting. The Crimson Collective threat actor exploited this environment to gain unauthorized access and exfiltrate sensitive data, including customer information for Nissan Fukuoka Sales Co., Ltd. The attack chain began with the use of the open-source tool TruffleHog to search for and exploit leaked AWS credentials within code repositories. Once valid credentials were identified, the attackers authenticated to the environment and initiated a series of actions mapped to the MITRE ATT&CK framework.

Initial Access was achieved through the abuse of valid cloud accounts (MITRE ATT&CK T1078.004), specifically by leveraging credentials discovered via TruffleHog. The attackers then created new users and access keys, escalating privileges by attaching the AdministratorAccess policy to these accounts (T1136.003).

Discovery and Lateral Movement involved extensive reconnaissance using AWS APIs to enumerate resources, map the environment, and identify valuable data (T1087.004, T1069.003, T1580, T1526, T1619). The attackers staged data for exfiltration by creating snapshots of databases and EBS volumes, exporting them to S3 buckets, and retrieving the data using GetObject API calls (T1530, T1074.002, T1567).

Extortion followed the exfiltration phase, with the Crimson Collective sending extortion notes to victims via AWS Simple Email Service and external email platforms. The group threatened to leak or sell the stolen data if their demands were not met. The ShinyHunters group later became involved by hosting and amplifying the extortion campaign with samples of the stolen data (Rapid7, BleepingComputer).

No custom malware was reported in this breach; the attack relied on credential abuse, cloud-native tools, and AWS APIs. The technical evidence supporting these claims includes CloudTrail logs, direct statements from Red Hat, and independent analysis by Rapid7.

The Crimson Collective is a recently identified threat actor, first observed in September 2025, specializing in cloud environment breaches for data exfiltration and extortion. The group is known for leveraging compromised credentials, creating new privileged accounts, and exfiltrating data from cloud environments. Their operations are characterized by coordinated activity across multiple IP addresses and compromised accounts. The ShinyHunters group, known for data leaks and extortion, amplified the impact by distributing samples of the stolen data (Rapid7, BleepingComputer, FINRA).

The breach demonstrates the risks inherent in third-party vendor relationships, particularly for customer management systems in the automotive sector. Nissan has experienced multiple cybersecurity incidents in recent years, including ransomware attacks and data breaches, underscoring the sector’s attractiveness to threat actors seeking to exfiltrate personally identifiable information (PII) for extortion or follow-on phishing and social engineering attacks.

Indicators of Compromise (IOCs) associated with this incident include the following IP addresses: 45.148.10[.]141, 195.201.175[.]210, 5.9.108[.]250, and 3.215.23[.]185 (Rapid7).

Attribution to the Crimson Collective is assessed with high confidence, based on direct claims, technical artifacts, and corroboration from multiple independent sources. The involvement of ShinyHunters as data extortion amplifiers is assessed with medium confidence, based on circumstantial evidence and extortion platform activity.

Affected Versions & Timeline

The breach specifically impacted the customer management system developed by Red Hat for Nissan Fukuoka Sales Co., Ltd. The affected dataset includes customer information for individuals who purchased vehicles or received services at Nissan in Fukuoka, Japan. The compromised data consists of full names, physical addresses, phone numbers, email addresses, and sales-related customer information. No financial or payment data, such as credit card details, was exposed (BleepingComputer, CybersecurityNews).

The verified timeline of events is as follows:

On September 26, 2025, Red Hat detected unauthorized access to its consulting division’s GitLab servers (CybersecurityNews). On October 3, 2025, Red Hat notified Nissan of the breach, and Nissan reported the incident to the Personal Information Protection Commission on the same day (CybersecurityNews). In October 2025, Red Hat publicly confirmed the breach and the involvement of the Crimson Collective (FINRA). On December 21-22, 2025, Nissan publicly disclosed the impact on approximately 21,000 customers (BleepingComputer, CybersecurityNews).

Threat Activity

The Crimson Collective threat actor initiated the attack by exploiting leaked AWS credentials found in code repositories using TruffleHog. After gaining initial access, the attackers created new privileged accounts and escalated their permissions within the cloud environment. They conducted extensive reconnaissance to map the environment and identify valuable data, then staged and exfiltrated customer information by creating and exporting database and EBS volume snapshots to S3 buckets.

The attackers’ primary objective was large-scale data theft and extortion. After exfiltrating the data, they sent extortion notes to victims, threatening to leak or sell the stolen information. The ShinyHunters group later amplified the extortion campaign by hosting samples of the stolen data on their platform.

The attack chain is mapped to the following MITRE ATT&CK techniques: Valid Accounts: Cloud Accounts (T1078.004), Create Account: Cloud Account (T1136.003), Data from Information Repositories: Code Repositories (T1213.003), Exfiltration Over Web Service (T1567), Data from Cloud Storage (T1530), Data Staged: Remote Data Staging (T1074.002), and several discovery and privilege escalation techniques. The attackers did not deploy custom malware, relying instead on credential abuse and cloud-native tools (Rapid7).

There is currently no evidence that the compromised data has been misused for fraudulent purposes or sold on underground markets. However, the exposure of PII increases the risk of phishing and social engineering attacks targeting affected customers. Nissan has advised customers to remain vigilant against suspicious communications, including deceptive phone calls or fraudulent correspondence (CybersecurityNews).

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations should immediately review and audit all third-party vendor relationships, especially those involving access to sensitive customer data or cloud environments. Ensure that all vendors adhere to strict security protocols, including regular credential rotation, least-privilege access, and continuous monitoring of cloud environments for anomalous activity (FINRA).

High: Implement robust incident response plans that include rapid notification procedures for third-party breaches. Require vendors to notify your organization of any security incidents within 24 hours of detection. Enforce multi-factor authentication (MFA) for all cloud accounts and administrative access.

High: Conduct regular security assessments and penetration testing of all externally managed systems, including code repositories and cloud infrastructure. Monitor for the use of credential scanning tools such as TruffleHog and investigate any unauthorized access attempts.

Medium: Educate employees and customers about the risks of phishing and social engineering attacks following a data breach. Provide clear guidance on how to identify and report suspicious communications.

Medium: Review and update data retention and minimization policies to ensure that only necessary customer information is stored and that it is adequately protected.

Low: Maintain up-to-date contact information for all customers to facilitate timely notification in the event of a breach. Offer support resources to affected individuals, including guidance on monitoring for identity theft and fraud.

Nissan has stated that it will individually notify affected customers and provide guidance on protective measures. The company has also committed to strengthening oversight of contractors and enhancing information security protocols across its operations (CybersecurityNews).

References

BleepingComputer: https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/

CybersecurityNews: https://cybersecuritynews.com/nissan-data-breach/

FINRA: https://www.finra.org/rules-guidance/guidance/red-hat-security-incident-20251010

Rapid7: https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and supply chain partners. Our platform enables continuous assessment of vendor security posture, supports incident response coordination, and facilitates compliance with regulatory requirements for third-party risk. For questions or further information, please contact us at ops@rescana.com.