The Nihon Kotsu shutdown notice names no exploited vulnerability. The company that dispatches roughly 60,000 rides a day across Tokyo took "part of its infrastructure" offline on July 14 and gave no CVE, no intrusion vector, no ransom note. That absence is not caution, it is the entire disclosure. A taxi operator with GPS-tracked fleets, dispatch systems, and payment terminals shut down first and characterized the incident second, which is the correct order operationally and the wrong order for anyone trying to assess exposure from outside the building.
Compare it to CISA's postmortem on its own contractor, published the same week: AWS Govcloud keys sitting exposed on GitHub, a leak the agency could at least name precisely because it happened inside a system built for audit trails. Nihon Kotsu's ride-hailing app, payment rails, and driver-facing dispatch tools sit outside that kind of scrutiny, run by a company whose security disclosure muscle has never been tested at this scale. The single fact worth tracking is not what attacker got in, it's whether Nihon Kotsu names a technique before its next scheduled shareholder filing, or whether "part of its infrastructure" is the last specific detail the public ever gets.