Nissan Employee Data Breach Tied to Oracle Zero-Day

▼ Summary
– Nissan disclosed a data breach after attackers exploited a zero-day flaw in Oracle PeopleSoft, potentially exposing Social Security numbers, banking details, and tax records of current and former employees.
– The breach, linked to the ShinyHunters extortion group, affected staff in the US, Canada, Mexico, and Brazil, exposing national identification numbers and dependent or beneficiary information.
– The zero-day flaw, tracked as CVE-2026-35273, is a critical remote code execution bug that Oracle patched only after attacks began between May 27 and June 9.
– Nissan has secured its systems, restricted payroll access to network computers or secured VPNs, and is offering affected staff free credit or dark web monitoring.
– The company urged employees to watch for phishing, change reused passwords, and enable multi-factor authentication, as its investigation remains ongoing.
Nissan has confirmed that attackers exploited a zero-day vulnerability in Oracle PeopleSoft to steal sensitive personal data belonging to current and former employees. The exposed information includes Social Security numbers, banking details, and tax records.
The automaker revealed in a breach notification filed on June 26 that Oracle had alerted it to a widespread cyber incident impacting hundreds of companies, with Nissan being a specific target. The breach is believed to have affected staff in the United States, Canada, Mexico, and Brazil, compromising data such as national identification numbers and dependent or beneficiary information.
Nissan described the entry point only as an unknown flaw in Oracle PeopleSoft, the enterprise software it relies on for payroll and human resources functions. The vulnerability, tracked as CVE-2026-35273, is a critical remote code execution bug that attackers leveraged as a zero-day before a patch was available. The broader campaign has been linked to the ShinyHunters extortion group, which claims to have compromised more than 100 organizations, primarily universities.
Oracle issued an out-of-band advisory and mitigations only after the attacks began. Nissan’s filing places the breach activity between May 27 and June 9, the window during which the campaign operated. While most named victims so far are universities, Nissan stands out as one of the larger corporate entities caught in the sweep.
Beyond Social Security and national identification numbers, Nissan stated that exposed data could include contact information, banking details, financial and tax records, as well as dependent or beneficiary data. The company said it has secured its systems, is collaborating with Oracle, and will offer affected employees free credit or dark web monitoring where available.
As a precaution, Nissan has restricted payroll access, requiring staff to use a network computer or secured VPN to view pay slips or change direct deposit details. The company is also adding extra identity verification steps before processing payroll requests. It has urged employees to watch for phishing attempts, change reused passwords, and enable multi-factor authentication (MFA).
Simon Pamplin, CTO at data security firm Certes, described the incident as “a mass-casualty event across hundreds of unrelated organizations,” noting that patching the flaw does nothing for data already stolen during the exploitation window.
Nissan said its investigation remains ongoing and that affected individuals will be contacted directly.
(Source: Infosecurity Magazine)




