Answer Brief
Nissan disclosed a data breach affecting current and former employees across North and South America after threat actors exploited CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft PeopleTools, in a campaign linked to ShinyHunters that compromised over 300 instances across 100 organizations, primarily in education, between May 27 and June 9, 2026.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
Threat actors began exploiting Oracle PeopleSoft zero-day (CVE-2026-35273) in data theft attacks
- 2
Exploitation window ended per Mandiant confirmation
- 3
Nissan discloses employee data breach linked to Oracle PeopleSoft attacks
Executive Summary: Nissan disclosed a data breach affecting current and former employees across North and South America after threat actors exploited CVE-2026-35273, a zero-day vulnerability in Oracle PeopleSoft PeopleTools, in a campaign linked to ShinyHunters that compromised over 300 instances across 100 organizations, primarily in education, between May 27 and June 9, 2026.
Why It Matters
Nissan’s disclosure of an employee data breach tied to the Oracle PeopleSoft zero-day exploit (CVE-2026-35273) reveals critical systemic risks in how enterprises manage and secure core HR infrastructure, particularly when relying on widely deployed but infrequently audited enterprise resource planning (ERP) and human capital management (HCM) platforms. The breach is not an isolated incident but part of a broader, financially motivated campaign that Mandiant confirmed targeted over 100 organizations between May 27 and June 9, 2026, with a pronounced focus on the education sector. This pattern aligns with ShinyHunters’ known tactics: exploiting zero-day vulnerabilities in cloud-adjacent SaaS and enterprise platforms to exfiltrate sensitive data for extortion, followed by leakage on dark web forums if ransom demands are not met. The group’s prior actions—including the Instructure Canvas breach affecting 280 million records and leaks involving Nottingham University and the National Association of Insurance Commissioners (NAIC)—demonstrate a consistent focus on institutions holding large volumes of personal data. What makes this campaign especially concerning is the nature of the data at risk. Oracle PeopleSoft is frequently used to manage payroll, tax administration, benefits, and personnel records, meaning a successful breach can yield not just contact information but also banking details, tax identifiers, Social Security numbers, and dependent information—data that is immutable, high-value on illicit markets, and directly exploitable for identity theft, fraudulent tax filings, and unauthorized payroll redirects. Nissan’s own disclosure confirms that the exposed data spans these categories, affecting current and former employees across four countries, which complicates notification and remediation due to varying data protection laws in the U.S., Canada, Mexico, and Brazil. From a defensive standpoint, the breach underscores the limitations of traditional perimeter security in detecting data theft from legitimate enterprise applications. Threat actors exploiting zero-days in trusted software like PeopleSoft can operate with minimal noise, using legitimate credentials and API calls to exfiltrate data over extended periods—Mandiant’s confirmed two-week window suggests a deliberate, low-and-slow approach designed to evade detection by signature-based tools. This highlights the need for behavioral analytics, privileged access monitoring, and anomaly detection in HR and payroll systems, particularly around unusual data exports, off-hours access, or changes to direct deposit information. Nissan’s response—engaging external experts, securing systems, restricting payroll access to secured networks, and adding identity verification for payroll changes—represents a pragmatic, layered approach to containment and prevention. These measures directly address common post-breach tactics: threat actors often use stolen HR data to initiate fraudulent payroll changes or direct deposit reroutes, a tactic observed in prior ShinyHunters-linked incidents. By limiting payroll modifications to internal networks or verified VPNs and requiring additional authentication, Nissan reduces the risk of automated abuse even if credentials or session tokens are compromised. However, the incident also raises broader questions about vendor transparency and patch latency in enterprise software ecosystems. Although Oracle released emergency mitigations for CVE-2026-35273, it has not publicly confirmed exploitation, a pattern that can delay organizational awareness and response. Security teams using PeopleSoft or similar HCM platforms (e.g., SAP SuccessFactors, Workday) should assume exposure during the May–June 2026 window unless proven otherwise and prioritize reviewing logs for anomalous access to employee data modules, especially between May 27 and June 9, 2026. They should also assess whether their identity governance systems can detect and flag unusual changes to beneficiary or banking information—common indicators of payroll fraud attempts. Looking ahead, the likelihood of follow-on extortion attempts remains high. Security teams should monitor ShinyHunters’ known leak sites and underground forums for any mention of Nissan or employee data, as well as similar extortion demands targeting other organizations in the campaign. Given the group’s history of targeting integration partners and cloud SaaS environments, organizations should also review third-party connections to their PeopleSoft instances, particularly those involving payroll processors, benefits administrators, or tax filing services, as these may represent lateral movement paths or additional exposure points. Ultimately, this breach serves as a reminder that enterprise software, even when managed by trusted vendors, is not inherently secure. Zero-day flaws in platforms like PeopleSoft can remain undetected for extended periods, and their exploitation can yield data with long-term criminal utility. Organizations must treat HCM and ERP systems as critical assets requiring the same level of monitoring, segmentation, and access control as traditional IT infrastructure—especially when they serve as central repositories for personally identifiable information (PII) with enduring value to threat actors.
Event Type: security
Importance: high
Affected Companies
- Nissan
- Oracle
- ShinyHunters
Affected Sectors
- automotive
- human resources
- information technology
Key Numbers
- PeopleSoft instances breached: over 300
- Organizations impacted: 100
- Data records stolen in related Canvas attack: 280 million
Timeline
- Threat actors began exploiting Oracle PeopleSoft zero-day (CVE-2026-35273) in data theft attacks
- Exploitation window ended per Mandiant confirmation
- Nissan discloses employee data breach linked to Oracle PeopleSoft attacks
Frequently Asked Questions
What vulnerability was exploited in the Nissan employee data breach?
Threat actors exploited a zero-day vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273, to breach Nissan's systems and steal employee data. Mandiant confirmed the exploitation occurred between May 27 and June 9, 2026.
Which employee data was potentially exposed in the Nissan breach?
Nissan states attackers may have accessed personal information including employee contact details, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information of current and former employees in the U.S., Canada, Mexico, and Brazil.
Is ShinyHunters responsible for the Nissan breach?
While Nissan has not directly attributed the breach to ShinyHunters, the incident is linked to the same Oracle PeopleSoft zero-day exploitation campaign previously claimed by ShinyHunters, which stated it breached over 300 PeopleSoft instances across 100 organizations and has leaked data from victims such as Nottingham University and NAIC.
What steps has Nissan taken to mitigate the breach and protect affected employees?
Nissan has engaged external cybersecurity experts, secured affected systems, restricted access to employee pay slips and direct deposit changes to secured networks or VPN connections, added identity verification for payroll requests, and is offering free credit and dark web monitoring services to affected individuals where available.
Why are Oracle PeopleSoft systems particularly attractive targets for threat actors like ShinyHunters?
Oracle PeopleSoft systems are attractive targets because they store high-value HR and payroll data, including Social Security numbers, banking details, and dependent information, which can be used for identity theft, financial fraud, and social engineering; their widespread use across industries makes them a high-impact target for data theft and extortion campaigns.