Nissan Americas discloses employee data breach via Oracle PeopleSoft zero-day
Nissan's Americas operations disclosed that attackers exploiting a zero-day in Oracle PeopleSoft accessed sensitive data belonging to current and former employees in the United States, Canada, Mexico and Brazil.
- Victim
- Nissan Americas
On 29 June 2026, reporting confirmed that Nissan Americas β the North, Central and South American operations of the Japanese automaker, headquartered in Franklin, Tennessee β had suffered a data breach affecting current and former employees after attackers exploited a zero-day vulnerability in Oracle PeopleSoft. Nissan began notifying affected individuals in late June, telling them that an unauthorised third party may have accessed a substantial amount of sensitive personnel data.
The intrusion is tied to CVE-2026-35273, a critical zero-day in Oracle PeopleSoft PeopleTools that was exploited in the wild between roughly 27 May and 9 June 2026 β before Oracle published an out-of-band fix. Google's Mandiant has attributed the broader PeopleSoft exploitation campaign to the data-theft and extortion crew ShinyHunters, tracked as UNC6240, which reportedly compromised more than 100 organisations and hundreds of internet-facing PeopleSoft instances during the campaign.
What was exposed
According to Nissan's notifications, the data that may have been accessed includes contact information, banking information and account numbers, Social Security numbers (or Social Insurance and other national identification numbers), financial and tax data, and dependent and beneficiary information. Nissan said the exposure affected current and former employees across its operations in the United States, Canada, Mexico and Brazil. The company has not published a total headcount for those affected.
Response
Nissan said it acted to secure the affected systems, engaged external cybersecurity specialists to investigate, and is working with Oracle in the wake of the vulnerability's disclosure. The company is offering affected employees complimentary credit and dark-web monitoring and has notified relevant regulators, including filing breach notices with U.S. state authorities.
Why it matters
The Nissan disclosure shows how a single enterprise-software zero-day can cascade into breach notifications at some of the world's largest companies. PeopleSoft underpins payroll and human-resources functions for a vast base of large employers, so its compromise exposes exactly the concentrated personal and financial data β Social Security numbers, bank accounts, tax records β that extortion groups can monetise. For Nissan's workforce, the breach carries a long tail of identity-theft and fraud risk that persists well after the vulnerable systems are patched.
Timeline
Earliest observed exploitation of the Oracle PeopleSoft zero-day (CVE-2026-35273) against internet-facing deployments, per Mandiant.
Exploitation activity against PeopleSoft instances runs through this date before Oracle's advisory is published.
Nissan begins mailing breach notification letters to affected employees.
Public reporting details the Nissan Americas employee data breach and its link to the PeopleSoft zero-day.
Sources
- theregister.comhttps://www.theregister.com/security/2026/06/29/nissan-says-oracle-peoplesoft-break-in-may-have-spilled-payroll-records-ssns/5263534
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/nissan-oracle-peoplesoft-zero-day/
- govinfosecurity.comhttps://www.govinfosecurity.com/nissan-traces-data-breach-to-peoplesoft-zero-day-exploit-a-32113
- cyberdaily.auhttps://www.cyberdaily.au/security/13825-hacked-automotive-giant-nissan-discloses-multi-country-data-breach