Japan's biggest taxi firm Nihon Kotsu hit by malware, dispatch system still down

The Tokyo-based operator pulled systems offline over the weekend after detecting unauthorized access. Bookings, phone dispatch and a service for expectant mothers remain suspended.

ThreatVectr Newsdesk· 3 min read
A row of Japanese taxis parked outside a Tokyo dispatch office at dusk, roof lights dark, a faint red glow from a control room window, empty street, moody overc
Share

Key points

  • Nihon Kotsu, Japan's largest taxi operator with roughly ¥155 billion (about $1 billion) in annual revenue, detected an intrusion early Saturday morning.
  • The company pulled several systems offline, including taxi dispatch, web booking and reservation management, which remain unavailable.
  • A specialist service that ferries pregnant women near their due date is suspended across Tokyo, Musashino, Mitaka, Tachikawa, Yokohama and Saitama.
  • Nihon Kotsu says outside cybersecurity experts are helping investigate, and it has not confirmed whether customer data was stolen.
  • No ransomware group has claimed responsibility as of publication.

Japan's largest taxi and chauffeur operator, Nihon Kotsu, says criminals broke into its internal systems over the weekend, forcing it to shut down large parts of its booking and dispatch operation.

The company detected the intrusion in the early hours of Saturday morning. It describes the event as "unauthorized external access (malware infection)", meaning malicious software that got onto its network from outside. The incident was first reported by BleepingComputer.

Nihon Kotsu is not a small target. The firm employs 18,228 people, runs 8,558 taxis and operates more than two thousand chauffeur vehicles.

In a public statement, the company said it disconnected affected systems as an emergency measure to stop the damage spreading. That is standard practice. It also means customers cannot use the usual channels to hail a car.

Car hire, web booking, reservation management, phone dispatch and some internal systems all remain offline. The firm is telling customers to book through the 'GO' taxi app instead, or to walk to a nearby taxi stand and flag down a Nihon Kotsu vehicle in person.

What does this mean for ordinary customers?

If you had a booking, it is probably not in the system. The most disruptive suspension is the company's "labor taxi" service, a pre-arranged ride for pregnant women close to giving birth. That service is paused in Tokyo, Musashino City, Mitaka City, Tachikawa, Yokohama and Saitama. Affected families will need to arrange alternative transport.

Nihon Kotsu has also warned customers to be careful with their inboxes. Criminals often follow up a breach by sending fake emails that look like they come from the affected company, a tactic known as phishing, where scammers try to trick you into clicking a link or opening a file that installs more malware. The company's advice is simple: do not open attachments or click links in unexpected messages claiming to be from Nihon Kotsu.

Was customer data stolen?

Nihon Kotsu says it does not know yet. The investigation is ongoing, and the firm has promised to notify affected customers individually if evidence of a data leak emerges. It has brought in external cybersecurity specialists to help.

No ransomware gang, meaning a criminal group that locks a company's files and demands payment to unlock them, has claimed the attack so far. That silence is not unusual in the first days after an incident. Extortion groups often wait a week or more before naming a victim on their leak sites, giving negotiations time to play out privately.

The Japanese transport sector has been a repeated target over the last two years, and this attack lands in the middle of a broader pattern of ransomware and data theft campaigns aimed at Asian logistics and mobility firms.

For now, the practical picture is straightforward. Nihon Kotsu can still put cars on the road. It just cannot take bookings the way it usually does. Anyone waiting on a reservation should assume it needs to be remade through the GO app or at a taxi stand, and anyone receiving unsolicited messages referencing the company should treat them as suspect until the firm restores normal service.

© 2026 Threat Vectr