Kubota North America Says Hackers Sat Inside Its Network for Over a Month
The Japanese equipment maker's US arm says intruders quietly read employee files — including Social Security numbers — between mid-March and late April.

Key points
- Kubota North America Corporation says hackers had access to parts of its network from March 16 to April 20, 2024.
- The stolen files include employee names, Social Security numbers, dates of birth, driver's licence numbers and direct-deposit bank details.
- Dependents of employees were also caught up in the breach, with the same categories of personal data exposed.
- Kubota began emailing affected people on June 30 and is offering free identity-protection monitoring through Kroll.
- No ransomware crew or extortion group has publicly claimed the intrusion, and the company reports no operational disruption.
Kubota's North American arm has told staff that intruders spent more than a month rummaging through its network earlier this year.
The company, part of the $20 billion Japanese industrial group best known for tractors and construction gear, employs more than 52,000 people worldwide. Its US division builds tractors, mowers and utility vehicles at several American plants.
According to a notice posted on the Kubota USA website and first reported by BleepingComputer, the hackers had access to internal file systems from March 16 through April 20, 2024. That is roughly five weeks of quiet access before they were kicked out.
What did the hackers actually take?
They took personal records belonging to employees and, in many cases, the family members those employees list as dependents on their benefits.
The exposed data varies from person to person, but Kubota says it can include full names, Social Security numbers, dates of birth, taxpayer IDs, driver's licence or other government ID numbers, direct-deposit bank account details, corporate payment card information, and benefits enrolment records with limited health-claims data.
That is close to a full identity-theft starter kit for anyone whose file was fully exposed.
Who is behind it?
Honestly — we don't know yet, and Kubota isn't saying.
No ransomware gang has posted Kubota on a leak site. No extortion crew has claimed the intrusion on the Telegram channels and dark-web forums where these groups usually brag. That absence is unusual for a smash-and-grab data theft, and it leaves two plausible readings.
One is a financially motivated crew that grabbed the data and is still negotiating quietly, or preparing to sell the records on. The other, which I'd hold at low confidence without more evidence, is an espionage-flavoured intrusion where the intent was access and information rather than a payday. Kubota supplies agricultural and heavy equipment used across critical sectors, and its supply chain would be of interest to several nation-state clusters that track manufacturing targets — but there is no public indicator of compromise, no named malware family, and no vendor attribution to lean on. Any group name at this stage would be a guess.
Without technical detail from Kubota or a third-party incident-response firm, this stays in the "unattributed" bucket.
Should employees be worried?
If you or a family member worked for Kubota in North America this year, treat the notification letter as real and act on it.
Enroll in the Kroll identity-protection service Kubota is paying for. It won't stop fraud, but it will flag new credit accounts opened in your name.
Watch your bank statements for small, odd charges — criminals often test stolen card details with tiny transactions before draining an account. Kubota is also urging people to check healthcare statements, because medical identity theft (someone using your details to claim treatment or prescriptions) is harder to spot and harder to unwind than card fraud.
If something looks wrong, report it to your bank and to the authorities immediately. In the US that means the Federal Trade Commission at IdentityTheft.gov and, for suspected medical fraud, your insurer's fraud line.
Kubota says it has added new security controls to stop a repeat. It has not said what those controls are, how the hackers got in, or how they were finally spotted. Those are the questions still worth asking.



