>samit_hota
Back to advisories
SH-2026-107HighOpen

Nihon Kotsu Suffers Major Cyberattack, Disrupting Japan's Largest Taxi Operations

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Nihon Kotsu, transportation services in multiple Japanese cities
#news#nihon

Overview

Nihon Kotsu, Japan’s largest taxi and chauffeur operator, has been hit by a significant cyberattack that has caused widespread disruption to its critical IT systems. The incident, which occurred in the early morning of Saturday, July 11, 2026, was confirmed as a malware infection resulting from unauthorized external access. The attack necessitated the immediate shutdown and isolation of affected systems, including taxi dispatch, hire car web order and reservation management, and several internal services. As of July 14, 2026, key customer-facing and internal systems remain offline, with ongoing investigation and recovery efforts.

Technical Details

The cyberattack on Nihon Kotsu was identified as a malware infection originating from unauthorized external access. While the specific method of initial access has not been officially confirmed, the company’s advisories regarding suspicious emails and attachments suggest that a potential phishing campaign may have been the entry point. Once the malware infiltrated Nihon Kotsu’s internal systems, it compromised multiple operational components, forcing a broad shutdown to prevent lateral movement and further damage.

The immediate containment actions taken by Nihon Kotsu, such as network isolation and system shutdowns, appear to have successfully limited the spread of the malware. As of the latest reports, there is no evidence of data encryption, ransom demands, or data destruction, and no specific ransomware or extortion group has claimed responsibility for the attack. Furthermore, no technical indicators of compromise (IOCs) like malware hashes, command-and-control (C2) infrastructure details, or exploit specifics have been released by the company or third-party investigators. This suggests a concerted effort to manage the incident internally and with external cybersecurity experts without revealing too much information while the investigation is ongoing.

Real-World Impact

The cyberattack has had a substantial and immediate impact on Nihon Kotsu’s operations and public transportation services across multiple Japanese cities. With a fleet of over 8,500 taxis and 2,000 chauffeur vehicles and thousands of employees, the disruption of dispatch and reservation systems has significantly affected both business operations and customer access. Customers have been advised to resort to alternative booking methods, such as the “GO” taxi app or direct hailing.

While there is currently no confirmed evidence of data exfiltration or leakage, Nihon Kotsu continues to assess this possibility and has pledged to notify affected parties if such information emerges. The potential for customer data exposure, even if unconfirmed, raises concerns about privacy and necessitates vigilance against potential phishing attempts by customers. The economic and logistical ramifications for a major transportation provider are considerable, affecting daily commutes and business travel throughout the affected regions.

Threat Landscape

The attack on Nihon Kotsu underscores the persistent and evolving threat of malware infections and the particular vulnerability of critical infrastructure and service providers. Even without an explicit ransom demand or data encryption, the operational disruption caused by a malware infection can be immense. This incident reflects a broader trend where attackers increasingly target operational technology (OT) and core business systems to cause maximum impact. While the specific actors remain unknown, such attacks can originate from financially motivated cybercriminals, state-sponsored groups seeking to disrupt critical services, or even hacktivists. The suggestion of phishing as an initial access vector further highlights that social engineering remains a highly effective method for breaching even well-defended networks.

Remediation

Nihon Kotsu’s rapid response, including immediate detection, system shutdown, and isolation, was crucial in containing the malware. However, the ongoing nature of the incident means full remediation is still in progress. Key steps for recovery and future prevention include:

  • Comprehensive Forensic Analysis: A thorough investigation to identify the root cause, exact entry point, malware characteristics, and extent of compromise.
  • System Rebuilding and Hardening: Rebuilding affected systems from known-good backups and implementing enhanced security configurations, including robust endpoint protection and network security controls.
  • Enhanced Email Security and User Training: Strengthening email gateway defenses to filter out phishing attempts and conducting continuous, updated security awareness training for all employees, focusing on identifying and reporting suspicious communications.
  • Multi-Factor Authentication (MFA): Implementing strong MFA across all internal and customer-facing systems to prevent unauthorized access even if credentials are compromised.
  • Network Segmentation and Zero Trust: Further segmenting the network to limit lateral movement and adopting a Zero Trust architecture, ensuring strict verification for every user and device attempting to access resources.
  • Continuous Monitoring: Implementing advanced threat detection and monitoring solutions to identify and respond to suspicious activity in real-time.
  • Regular Security Audits and Penetration Testing: Proactively assessing the security posture to identify and remediate vulnerabilities before they can be exploited.
  • Communication Strategy: Maintaining transparent communication with customers and stakeholders regarding the incident’s status and protective measures.

This incident serves as a critical reminder that operational resilience against cyber threats is paramount for continuity in essential services.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call