Kubota Says Hackers Had Month-Long Access to Network Systems
What happened
Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year. The company’s investigation found that the threat actor accessed certain systems between March 16 and April 20. During that period, the attacker accessed files containing personal information belonging to employees and their dependents.
Kubota is part of the Japanese industrial manufacturer known for agricultural and construction equipment. Its North American division includes facilities that produce tractors, mowers, and utility vehicles. The potentially exposed information includes full names, Social Security numbers, dates of birth, taxpayer IDs, driver’s license or other government ID numbers, direct deposit bank account information, corporate payment card information, and benefits enrollment and limited claims data. Some of the exposed information may also belong to employee dependents. Kubota said the exact data types vary by person.
The company began sending personalized notification letters by email on June 30, informing affected individuals about the specific information exposed in their case. Kubota is offering Kroll identity protection services to help affected individuals respond to the risk. The company advised recipients to monitor healthcare-related statements and bank accounts and to report suspicious activity to authorities. Kubota said it implemented additional security measures to help prevent similar incidents.
At the time of reporting, no ransomware or data extortion group had claimed responsibility for the attack. Kubota did not mention any operational or business disruption tied to the incident.
Who is affected
Kubota North America employees and their dependents are affected if their information was included in the files accessed by the attacker. The potentially exposed information may include names, Social Security numbers, dates of birth, taxpayer IDs, government ID numbers, bank account information, corporate payment card information, benefits enrollment data, and limited claims information. Because dependent data may also be involved, affected households could face broader identity theft, healthcare fraud, tax fraud, payroll fraud, and financial account risk.
Why CISOs should care
This incident shows how employee and dependent data can become a major breach exposure even when customer-facing operations are not publicly reported as disrupted.
For CISOs, the month-long access window is especially important. Attackers had access to some Kubota network systems from March 16 to April 20, giving them time to locate sensitive HR, benefits, payroll, and dependent information.
The exposed data categories also increase the risk of downstream fraud. Direct deposit bank account information, Social Security numbers, government IDs, taxpayer IDs, and benefits information can support identity theft, payroll diversion, tax fraud, and healthcare-related scams.
The lack of a ransomware or extortion claim does not reduce the need for full incident response. Data theft incidents without public ransomware branding can still involve stolen information that may later be sold, used for fraud, or leveraged in targeted social engineering.
3 practical actions
Review access to HR, payroll, and benefits data: Kubota said files containing employee and dependent information were accessed. CISOs should enforce least privilege, strong logging, and segmentation around systems storing payroll, tax, benefits, and dependent records.
Prepare identity protection and fraud guidance for employees: The exposed data includes Social Security numbers, government IDs, bank account information, and benefits data. Organizations should provide clear instructions for credit monitoring, bank account review, healthcare statement monitoring, and suspicious activity reporting.
Investigate long-dwell network access thoroughly: The attacker accessed systems for more than a month. Security teams should review authentication logs, file access records, lateral movement, persistence mechanisms, data staging, and outbound transfers before closing the incident.
Also on the news today:


