Skip to content
Data breachContained

Nissan Americas discloses employee data breach via Oracle PeopleSoft zero-day

Nissan's Americas operations disclosed that attackers exploiting a zero-day in Oracle PeopleSoft accessed sensitive data belonging to current and former employees in the United States, Canada, Mexico and Brazil.

Victim
Nissan Americas

On 29 June 2026, reporting confirmed that Nissan Americas β€” the North, Central and South American operations of the Japanese automaker, headquartered in Franklin, Tennessee β€” had suffered a data breach affecting current and former employees after attackers exploited a zero-day vulnerability in Oracle PeopleSoft. Nissan began notifying affected individuals in late June, telling them that an unauthorised third party may have accessed a substantial amount of sensitive personnel data.

The intrusion is tied to CVE-2026-35273, a critical zero-day in Oracle PeopleSoft PeopleTools that was exploited in the wild between roughly 27 May and 9 June 2026 β€” before Oracle published an out-of-band fix. Google's Mandiant has attributed the broader PeopleSoft exploitation campaign to the data-theft and extortion crew ShinyHunters, tracked as UNC6240, which reportedly compromised more than 100 organisations and hundreds of internet-facing PeopleSoft instances during the campaign.

What was exposed

According to Nissan's notifications, the data that may have been accessed includes contact information, banking information and account numbers, Social Security numbers (or Social Insurance and other national identification numbers), financial and tax data, and dependent and beneficiary information. Nissan said the exposure affected current and former employees across its operations in the United States, Canada, Mexico and Brazil. The company has not published a total headcount for those affected.

Response

Nissan said it acted to secure the affected systems, engaged external cybersecurity specialists to investigate, and is working with Oracle in the wake of the vulnerability's disclosure. The company is offering affected employees complimentary credit and dark-web monitoring and has notified relevant regulators, including filing breach notices with U.S. state authorities.

Why it matters

The Nissan disclosure shows how a single enterprise-software zero-day can cascade into breach notifications at some of the world's largest companies. PeopleSoft underpins payroll and human-resources functions for a vast base of large employers, so its compromise exposes exactly the concentrated personal and financial data β€” Social Security numbers, bank accounts, tax records β€” that extortion groups can monetise. For Nissan's workforce, the breach carries a long tail of identity-theft and fraud risk that persists well after the vulnerable systems are patched.

Timeline

  1. Earliest observed exploitation of the Oracle PeopleSoft zero-day (CVE-2026-35273) against internet-facing deployments, per Mandiant.

  2. Exploitation activity against PeopleSoft instances runs through this date before Oracle's advisory is published.

  3. Nissan begins mailing breach notification letters to affected employees.

  4. Public reporting details the Nissan Americas employee data breach and its link to the PeopleSoft zero-day.

Sources

  1. theregister.comhttps://www.theregister.com/security/2026/06/29/nissan-says-oracle-peoplesoft-break-in-may-have-spilled-payroll-records-ssns/5263534
  2. infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/nissan-oracle-peoplesoft-zero-day/
  3. govinfosecurity.comhttps://www.govinfosecurity.com/nissan-traces-data-breach-to-peoplesoft-zero-day-exploit-a-32113
  4. cyberdaily.auhttps://www.cyberdaily.au/security/13825-hacked-automotive-giant-nissan-discloses-multi-country-data-breach

Related incidents

Zero-dayContained

NAIC confirms data breach after Oracle PeopleSoft zero-day exploited by ShinyHunters

The National Association of Insurance Commissioners disclosed on 23 June 2026 that attackers exploited an Oracle PeopleSoft zero-day to access part of its environment, and by 25 June the extortion group ShinyHunters had published the stolen data online, claiming more than 3.1 terabytes.

Victim
National Association of Insurance Commissioners (NAIC)