THREAT BRIEFING · 15.07.2026 DEENFRES

Case Studies

Nihon Kotsu: Dispatch Disrupted After Malware Attack

By Benedikt Langer · July 15, 2026 · 6 min read

On July 11, 2026, malware hit Japan’s largest taxi operator, Nihon Kotsu, causing dispatch and booking systems to fail. The company reported the incident two days later. AiLock made contact on July 15, threatening to leak data.

Key Takeaways

  • Dispatch is the bottleneck. It was not just the backend that brought operations to a standstill, but the dependence on dispatch and online booking systems.
  • The response was consistent. Systems were decoupled, stopping the spread of the malware and prolonging the operational outage.
  • Verifying AiLock’s claim. The claim of taking over the system and the threat of releasing data are just that – claims. The company initially did not confirm any data leak.
  • DACH implications. Every fleet, logistics dispatch, and telephone dispatch center in the DACH region (Germany, Austria, and Switzerland) shares the same failure pattern, as they often rely on similar systems.

Related:The weakest supplier opens up the critical infrastructure  /  A signed driver makes endpoint protection blind

What Happened This Weekend

What is the Nihon-Kotsu Incident? Nihon Kotsu, Japan’s largest taxi and chauffeur operator by group revenue, confirmed on July 13, 2026 an unauthorized external access with malware infection. The incident dates back to the early Saturday morning of July 11. Source: company announcement and report by BleepingComputer.

The fleet, according to the company profile, includes more than 8,500 taxis and over 2,000 chauffeur vehicles. Approximately 18,000 employees are dependent on the operation. If dispatch fails, the vehicles are physically ready and digitally without orders.

The company shut down the affected systems. Goal: prevent further damage. Result: web booking, reservation management, phone dispatch, and parts of internal IT remained offline. Customers should use the GO app or taxi ranks. Even the labor taxi service for pregnant women was suspended in several regions.

July 11, 2026
Early morning: unauthorized access and malware infection in internal systems (company statement).
July 11 – July 13
Emergency measures: systems isolated, dispatch and booking remain offline.
July 13, 2026
Nihon Kotsu publishes the incident report and directs customers to the app and taxi ranks.
July 15, 2026
AiLock claims the attack and threatens data publication (claim, not company-confirmed).

Timeline, Claims, and What’s Covered

The company’s claim is substantiated: unauthorized access, malware, emergency shutdown, operational disruption. External security experts were consulted. Nihon Kotsu did not name a confirmed data breach as of 13. July. The possibility was examined.

On 15. July, the group AiLock claimed the attack and threatened to soon publish the data. Such leak-site claims are standard in extortion patterns. They are not a forensic verdict. Volume figures from tracking channels are considered unconfirmed here until the organization or independent forensics corroborates them.

For security teams, the distinction matters: confirmed operational outage versus unconfirmed data claim. Backups restore availability. They do not replace an assessment of confidentiality once exfiltration is on the table.

Why Dispatch Hits Harder Than Pure Office IT

Taxi dispatch, in a broader sense, sits at the intersection with OT: real‑time operations, stringent uptime expectations, and tight integration of phones, apps, web portals and fleet status. When a single node fails, the revenue pipeline collapses. This dynamic mirrors what we see across the DACH mid‑market-control centers, field‑service dispatch, hospital transport operators and regional public‑transport partners.

Segmentation is the key. If provisioning, booking and office file sharing share a trust‑domain path, a single gateway can suffice. The shutdown was appropriate. It proves costly when no validated fallback exists.

Operational Lessons

  • Map dispatch and booking as critical process chains, not just IT services
  • Test emergency fallback: app partners, manual dispatch, stand‑by only operation
  • Segment OT‑proximate and IT systems: an infection in office IT must not drag dispatch along
  • Assess extortion claims only after technical exfiltration is proven
  • Prepare customer communication: alternative channels and a phishing warning on day one

Five Lessons for German-Speaking Organizations (DACH)

First: Process-criticality before asset list. Which three systems halt revenue in under an hour?

Second: Offline playbook with genuine alternative channels. App partners, manual mediation and location-only must be practiced, not just documented.

Third: Segmentation between office IT and operations. Ransomware in accounting must not pull the control center into the incident.

Fourth: Communication kit on day 0. Phishing warning to customers, status page, clear alternative. Nihon Kotsu addressed this in the report.

Fifth: Include extortion claims in incident classification without adopting them as unchecked facts. The board and legal department need a trail: what is verified, what is alleged.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

Who is behind the attack on Nihon Kotsu?

The company confirmed unauthorized access and malware. AiLock claimed the incident on July 15, 2026. There is no publicly available independent forensic attribution.

Was customer data stolen?

On July 13, Nihon Kotsu reported no confirmed leak, but did look into the possibility. Later extortion claims do not replace this investigation.

Why did the emergency shutdown help and harm the operation?

It limits lateral spread and data sharing. At the same time, it stops dispatch and booking when no separate fallback paths exist.

What is the DACH relevance?

Every organization with real-time dispatching, fleet or field-service systems shares the same dependency chain. The pattern is industry-agnostic.

Which immediate measure is taken after such an incident?

Isolate systems, secure forensics, activate fallback, start customer communication and track extortion claims separately from confirmed facts.

Editor’s Picks

Editor’s PickWeakest Supplier Opens Critical FacilityEditor’s PickA Signed Driver Makes Endpoint Protection Blind

More from the MBF Media Network

cloudmagazinWhen GPUs Devour the SaaS BudgetMyBusinessFutureWhen a German AI Model Truly Pays Off

Further reading

Case Studies · July 5, 2026

Südwestfalen IT: The Lesson of Municipal IT

Two years after the Southwestphalia IT attack, Security Today dissects: VPN without MFA, rebuilding without ransom, and five lessons for municipal IT.

A magazine by Evernine Media GmbH