Back to Insights
Breaches4 min read13 July 2026

Nihon Kotsu Cyberattack Knocks Out Dispatch and Booking Systems at Japan's Largest Taxi Operator

A malware intrusion detected early Saturday morning forced Nihon Kotsu to pull its booking, dispatch and reservation platforms offline, suspending a critical pre-arranged ride service for expectant mothers across six cities.

t2s
train2secure NewsdeskSecurity awareness team
A row of yellow Tokyo taxis parked at a city taxi stand at night, rain-slicked pavement reflecting streetlights, one tax

Japan's largest taxi operator, Nihon Kotsu, confirmed on Saturday that criminals gained unauthorized access to its internal systems, forcing the company to take booking, dispatch and reservation platforms offline.

The Tokyo-based firm operates 8,558 taxis, more than 2,000 chauffeur vehicles and employs 18,228 people. Annual revenue sits at roughly 155 billion yen, equivalent to approximately one billion US dollars. This is not a soft target. Hitting it disrupts an enormous slice of Tokyo's professional ground transport.

What Happened and When

Nihon Kotsu detected the intrusion in the early hours of Saturday morning. The company's own public statement described the event as "unauthorized external access (malware infection)", meaning criminals placed malicious software on the company's internal network from an external entry point. Once the infection was confirmed, engineers disconnected affected systems as an emergency containment measure to prevent further spread.

That decision was correct. Segmenting infected systems quickly is one of the core recommendations in NIST SP 800-61, the federal incident-response guide that many enterprise security teams treat as a baseline standard. The tradeoff is service disruption. And the disruption here is real.

Car hire, web booking, reservation management and phone dispatch all remain unavailable at time of publication. The company is directing customers to use the GO taxi app or to find a Nihon Kotsu vehicle at a physical taxi stand.

The Human Cost: A Service for Expectant Mothers Is Suspended

The most consequential outage is the suspension of what Nihon Kotsu calls its "labor taxi" service, a pre-arranged ride offering for pregnant women approaching their due date. That service is currently paused in Tokyo, Musashino City, Mitaka City, Tachikawa, Yokohama and Saitama.

Families who had registered for this service need to arrange alternative transport immediately. Nihon Kotsu has offered no timeline for restoration.

Customer Data: Unknown for Now

The company has not confirmed whether any customer records were accessed or exfiltrated. External cybersecurity specialists are assisting the investigation. Nihon Kotsu has pledged to notify customers individually if evidence of a data leak surfaces during the inquiry.

No ransomware group had claimed responsibility by the time this article was published. That is not unusual. Criminal extortion groups routinely wait a week or more before listing a victim on a public leak site, allowing time for private ransom negotiations. Silence in the first 48 to 72 hours tells investigators very little about attribution.

Nihon Kotsu has also warned customers to be alert to phishing emails impersonating the company. This is standard post-breach criminal behaviour: a high-profile incident gives opportunistic attackers a convincing cover story for malicious messages. Anyone receiving an unexpected email referencing Nihon Kotsu, a booking confirmation, a refund notice or a security alert, should treat it as suspect and avoid clicking any links or opening any attachments until the firm restores normal communications.

Which Controls Failed, and What Defenders Should Learn

The company's own description, "unauthorized external access (malware infection)", points to an initial access event that bypassed perimeter controls. The most common routes for this kind of intrusion are phishing emails that deliver a malware loader, exploitation of an unpatched internet-facing service, or credential abuse where an attacker uses stolen login details to authenticate legitimately before deploying malicious tooling.

The Verizon 2024 Data Breach Investigations Report found that phishing and stolen credentials together account for the majority of external intrusions across all industries. Without a full forensic conclusion from Nihon Kotsu, we cannot confirm which vector was used here. But the pattern is consistent with a phishing-delivered payload or a compromised account, both of which are fundamentally human-layer failures before they are technical ones.

This is precisely where security-awareness training produces measurable, documented ROI. When employees can recognise a credential-harvesting email or a suspicious login request, the attacker's cheapest and most reliable entry point disappears. Explore Train2Secure's curriculum and see how it maps to frameworks your team already uses.

A second control gap worth flagging is network segmentation. The fact that dispatch, web booking, phone booking and reservation management were all taken offline simultaneously suggests these platforms may have shared network segments or authentication infrastructure. Proper micro-segmentation limits blast radius. An attacker who compromises one system should not automatically have a path to a completely separate operational platform. If Nihon Kotsu had enforced strict east-west traffic controls between its booking stack and its dispatch systems, some services might have remained operational during containment.

Identity hygiene is the third area defenders should review. Malware that establishes persistence and then moves laterally typically does so by harvesting credentials already present on the infected machine, either cached credentials or service account tokens. Enforcing least-privilege access, rotating service account passwords regularly and deploying multi-factor authentication on all administrative interfaces are the controls that make lateral movement expensive and slow. Expensive and slow gives defenders time to detect.

What the Japanese Transport Sector Tells Us About Target Selection

Nihon Kotsu's incident lands inside a documented trend. Ransomware and data theft groups have repeatedly targeted Asian logistics and mobility companies over the past two years, including freight carriers, rail operators and last-mile delivery firms. The sector is attractive because operational disruption creates immediate pressure to pay or restore quickly. Taxi and transport operators often run thin IT security budgets relative to the value of their data and the operational urgency of their services.

If your organisation runs any kind of operational technology that must stay online, whether dispatch software, scheduling platforms or customer-facing booking systems, the lesson from Nihon Kotsu is direct: a single malware infection can take your entire customer-facing operation offline in hours. Recovery from that position takes days, not hours.

Review your security standards alignment now. Do not wait for the incident notification email.

Nihon Kotsu has cars on the road. It just cannot book them. For an operator of its size, that distinction costs money every minute the systems stay dark.

How a stronger human layer could have limited this attack

  • Train employees to identify phishing emails and suspicious login requests before malware reaches the network, cutting off the most common initial access vector.
  • Test your team with simulated phishing campaigns mapped to real attack patterns so you know where your exposure actually sits.
  • Review network segmentation and least-privilege identity policies so that a single compromised endpoint cannot cascade into a full operational shutdown.

Train2Secure's security-awareness programs are built around exactly these scenarios, so your staff recognise the attack before the malware lands.

Start free, no card required

Frequently asked questions

Is Nihon Kotsu still operating taxis after the cyberattack?

Yes. Nihon Kotsu can still put vehicles on the road. The disruption affects its digital systems, specifically web booking, phone dispatch and reservation management. Customers can still hail a Nihon Kotsu taxi at a stand or book through the GO app.

Was customer data stolen in the Nihon Kotsu breach?

Nihon Kotsu has not confirmed whether customer data was accessed or taken. The investigation is ongoing, with external cybersecurity specialists involved. The company says it will notify affected customers individually if a data leak is confirmed.

Why is the pregnancy transport service suspended and when will it resume?

Nihon Kotsu's pre-arranged ride service for pregnant women near their due date was suspended across Tokyo, Musashino City, Mitaka City, Tachikawa, Yokohama and Saitama as a direct result of the system shutdowns. The company has not announced a restoration timeline. Affected families should arrange alternative transport immediately.

What should I do if I receive an email claiming to be from Nihon Kotsu right now?

Treat any unexpected email referencing Nihon Kotsu as potentially malicious. Do not click links or open attachments. Criminals frequently send phishing emails impersonating breached companies to exploit public awareness of the incident. Wait for an official communication through verified channels before taking any action.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress