Nissan Japan has confirmed to BleepingComputer that it suffered a data breach following unauthorized access to a server of one of its subsidiaries, Creative Box Inc. (CBI).

This came in response to the Qilin ransomware group's claims that they had stolen four terabytes of data from CBI, including 3D vehicle design models, internal reports, financial documents, VR design workflows, and photos.

"On August 16, 2025, suspicious access was detected on the data server of Creative Box Inc. (CBI), a company contracted by Nissan for design work," stated a Nissan spokesperson to BleepingComputer.

"CBI immediately implemented emergency measures, such as blocking all access to the server, to mitigate the risk, and also reported the incident to the police."

CBI is a Tokyo-based design studio, wholly owned by Nissan Motor Co. Ltd., established as a "think tank" that focuses on experimental and concept vehicle designs.

Qilin ransomware added CBI on its extortion portal on the dark web on August 20, 2025, claiming to have stolen all design projects and threatening to make them public, giving competitors an edge.

The threat actors also published 16 photos of the stolen data as evidence of their claims, which depict 3D car designs, spreadsheets, documents, and car interior images.

Nissan states that an investigation into the incident is currently underway, but it has already verified a data breach.

"Currently, a detailed investigation is underway, and it has been confirmed that some design data has been leaked," stated Nissan.

"Nissan and CBI will continue the investigation and take appropriate measures as needed."

The Japanese automaker also clarified that the leaked data only impacts Nissan, which is the sole customer of CBI. Hence, the stolen data does not expose clients, contractors, or any other companies or individuals beyond Nissan.

Qilin ransomware has been very active this year, claiming high-profile victims such as the Lee Enterprises publishing group and the pharmaceutical firm Inotiv.

The threat actors were linked to the exploitation of the Kickidler employee monitoring tool and two Fortinet vulnerabilities (CVE-2024-21762, CVE-2024-55591), which enabled them to remotely execute code on devices without authentication.