Kubota North America Corporation has confirmed that an unauthorized third party maintained access to portions of its network systems for approximately 35 days earlier this year, exposing a broad range of employee and dependent personal information.
According to the company’s disclosure, the intrusion ran from March 16 through April 20. During that window, the threat actor accessed files containing personal data tied to employees and their dependents. Kubota began notifying affected individuals by email on June 30, with each notification tailored to reflect the specific data types exposed to that person.
Data Categories Exposed
The following categories of information were potentially compromised, though the exact combination varies by individual:
- Full names, including those of dependents
- Social Security numbers, including those of dependents
- Dates of birth, including those of dependents
- Taxpayer identification numbers
- Driver’s license or other government-issued ID numbers
- Direct deposit bank account information
- Corporate payment card information
- Benefits enrollment and limited claims data, including for dependents
Response and Remediation
Affected individuals are being offered enrollment in Kroll identity protection services. Kubota’s notifications specifically advise recipients to monitor healthcare-related statements and bank accounts, and to report any suspicious activity to relevant authorities promptly.
The company states it has implemented additional security controls to reduce the likelihood of a similar incident occurring. Kubota reported no operational or business disruptions stemming from the intrusion.
Attribution Remains Open
No ransomware group or data extortion actor has publicly claimed responsibility for the attack as of publication. The nature of the intrusion, including the initial access vector, has not been disclosed. Kubota is a Japanese industrial manufacturer with operations across 120 countries, more than 52,000 employees, and annual revenue reported at approximately $20 billion. Its North American division manufactures tractors, mowers, and utility vehicles.
The extended dwell time of over a month before detection underscores the risk posed by undetected lateral movement within enterprise networks, particularly where sensitive HR and benefits data is accessible. Security teams should treat prolonged, low-and-slow intrusions as a distinct threat model requiring dedicated detection coverage beyond perimeter controls.
