Nissan warns of data breach affecting employees across four countries linked to Oracle zero-day attacks

At a glance:

• Nissan disclosed a data breach affecting current and former employees in the US, Canada, Mexico, and Brazil after threat actors exploited an Oracle PeopleSoft vulnerability
• The attacks were linked to the ShinyHunters extortion group, which claimed responsibility for breaching over 300 PeopleSoft instances across 100 organizations
• Exposed data may include Social Security numbers, banking information, tax records, and dependent beneficiary information

Nissan Americas uses Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records. Following notifications filed with the California Attorney General's Office, Oracle informed the company that a cyber event occurred and personnel records of hundreds of organizations may have been obtained by threat actors. Nissan confirmed it was specifically targeted in this attack campaign.

The automaker stated it is still in the early stages of investigating the full impact of the breach but believes attackers accessed personal information that could include employee contact details, banking data, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information.

This disclosure stems from widespread exploitation of Oracle PeopleSoft servers first reported by BleepingComputer earlier this month. Threat actors exploited a zero-day vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273, and breached instances between May 27 and June 9. While Oracle has not publicly confirmed the flaw was exploited, Mandiant later confirmed the zero-day exploitation in these attacks, which primarily impacted organizations in the education sector.

ShinyHunters, the extortion group linked to these attacks, claimed responsibility and told BleepingComputer that over 300 PeopleSoft instances across 100 organizations were breached. The group has since begun leaking stolen data on its data leak site, including information from Nottingham University and the National Association of Insurance Commissioners (NAIC).

Nissan activated its incident response after discovering the breach, engaged external cybersecurity experts, secured affected systems, and is working with Oracle to address the issue. The company has implemented additional identity verification measures and is restricting access to employee pay slips and direct deposit changes to company network computers or secured VPN connections.

Affected employees will receive free credit and dark web monitoring services where available. Nissan plans to send additional notifications to individuals whose information was ultimately determined to have been exposed, detailing what specific data was impacted.

The threat actors are a well-known extortion group that commonly targets Salesforce, Snowflake, third-party integration partners, and other cloud SaaS environments for data theft. This incident follows ShinyHunters' recent targeting of the education sector through a separate cyberattack on Instructure Canvas, where they stole 280 million data records from students, teachers, and staff.

Organizations using Oracle PeopleSoft should review their systems for indicators of compromise and ensure they have applied the emergency mitigations released by Oracle. The incident highlights ongoing risks associated with zero-day exploitation in enterprise software and the persistent threat posed by sophisticated extortion groups operating in cloud environments.