What happened
Nissan disclosed a data breach affecting current and former employees after attackers exploited an Oracle PeopleSoft vulnerability in data theft attacks linked to the ShinyHunters extortion group.
The breach involved Nissan Americas’ use of Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records.
In breach notifications filed with the California Attorney General’s Office, Nissan said Oracle informed the company that a cyber event may have exposed personnel records from hundreds of companies. Nissan later learned that it was specifically targeted in the campaign.
The company said it is still in the early stages of its investigation and has not yet determined the full impact of the breach.
Potentially exposed information may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information.
The incident is believed to affect current and former Nissan employees in the United States, Canada, Mexico, and Brazil.
After learning of the breach, Nissan activated its incident response process, engaged external cybersecurity experts, secured affected systems, and began working with Oracle to address the issue.
The company said it also took steps to end unauthorized access and prevent further disclosure of employee information. Nissan will offer free credit monitoring and dark web monitoring services to affected individuals where available.
As an added precaution, Nissan is restricting access to employee pay slips and direct deposit changes to company network computers or secured VPN connections while it implements additional identity verification measures for payroll requests.
The breach is believed to stem from the broader Oracle PeopleSoft zero-day exploitation campaign. The vulnerability, tracked as CVE-2026-35273, affects Oracle PeopleSoft PeopleTools and was exploited in data theft attacks between May 27 and June 9.
ShinyHunters claimed that more than 300 PeopleSoft instances across 100 organizations were breached. The group has since begun leaking stolen data from some victims on its data leak site.
Who is affected
Current and former Nissan employees in the United States, Canada, Mexico, and Brazil may be affected.
The potentially exposed data may include contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information.
Organizations using Oracle PeopleSoft are also affected if they were targeted in the broader zero-day exploitation campaign or have not yet applied Oracle’s emergency mitigations.
Why CISOs should care
This incident shows how exploitation of enterprise HR and payroll platforms can create high-impact employee data exposure. PeopleSoft systems often hold sensitive identity, tax, banking, payroll, and dependent information, making them valuable targets for extortion groups and data thieves.
For CISOs, the Nissan breach reinforces that third-party and enterprise application risk can quickly become workforce identity risk. Even if the vulnerability sits in a vendor-managed or widely used platform, the exposed data belongs to employees and may trigger breach notification, fraud monitoring, payroll controls, and regulatory obligations.
The payroll precaution is especially important. Nissan restricted access to pay slips and direct deposit changes because employee banking and payroll data may be involved. Attackers who obtain HR data can use it for payroll diversion, identity theft, tax fraud, and targeted social engineering.
The broader ShinyHunters campaign also shows that zero-day exploitation against enterprise applications can scale across many organizations before public disclosure and patching catch up.
3 practical actions
- Apply Oracle PeopleSoft emergency mitigations and patches: The campaign exploited CVE-2026-35273 in Oracle PeopleSoft PeopleTools. CISOs should confirm patch status, restrict exposure, and validate that emergency mitigations were applied correctly.
- Lock down payroll and direct deposit workflows: Nissan restricted pay slip access and direct deposit changes to company network computers or secured VPN connections. Security teams should require stronger identity verification for payroll changes, banking updates, and employee self-service requests.
- Prepare employee-focused breach response: Potentially exposed information includes tax, banking, identity, and dependent data. Organizations should plan credit monitoring, dark web monitoring, employee notifications, payroll fraud warnings, and account recovery controls after HR platform compromise.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.