Nissan Discloses Employee Data Breach Linked to Oracle PeopleSoft Zero-Day

A high-profile Oracle PeopleSoft customer disclosure: Nissan says current and former employees' data was exposed via CVE-2026-35273, with sector-advisory implications for the broader Oracle exploitation cycle.

Share
Flat white line-art of a car silhouette beside a database cylinder and an employee record card, on an Aubergine background — Nissan employee data breach linked to Oracle PeopleSoft zero-day.

Key Takeaways

  • Nissan disclosed a data breach affecting current and former employees after threat actors exploited CVE-2026-35273, a critical server-side request forgery (SSRF) vulnerability in Oracle PeopleSoft PeopleTools, which Mandiant says was used as a zero-day in data-theft attacks between May 27 and June 9, 2026.
  • Nissan reported that the exposed data may include contact details, banking information, Social Security numbers, and financial and tax records for current and former employees in the United States, Canada, Mexico, and Brazil; the company has not disclosed a specific number of affected individuals.
  • The disclosure is one of several tied to the same Oracle PeopleSoft campaign — which Mandiant says touched more than 100 organizations — and lands alongside separate active exploitation of an unrelated Oracle E-Business Suite flaw, underscoring a broad Oracle exploitation cycle that PeopleSoft customers should treat as a sector advisory.

A high-profile Oracle PeopleSoft customer disclosure — sector-advisory implications for the broader Oracle cycle.

FRANKLIN, TENNESSEE — Nissan on June 30, 2026 was in focus across the security press after the automaker disclosed a data breach affecting current and former employees, which it linked to exploitation of a zero-day vulnerability in Oracle PeopleSoft software. The company said attackers may have accessed sensitive personal data — including Social Security numbers, banking details, and tax records — and that it has begun notifying affected individuals while offering credit and dark-web monitoring. Nissan has not published a specific count of how many people are affected.

The disclosure is a breach story, but it is also a customer-side data point in a much larger vulnerability cycle. The flaw at the center of it, tracked as CVE-2026-35273, is the same critical Oracle PeopleSoft bug that Mandiant has tied to a sprawling data-theft campaign affecting more than 100 organizations — the same vulnerability already documented in attacks on higher-education institutions earlier in the same window. For other PeopleSoft operators, Nissan's notice reads less as an isolated incident than as a sector advisory.

At a Glance
FieldDetails
CompanyNissan (Nissan Americas)
WhatDisclosed data breach affecting current and former employees
Oracle product / CVEOracle PeopleSoft PeopleTools — CVE-2026-35273 (critical SSRF, exploited as a zero-day)
Data categoriesContact details, banking information, Social Security numbers, financial and tax records (reportedly)
AffectedCurrent and former employees in the US, Canada, Mexico, and Brazil; specific count not disclosed
NotificationDirect notifications begun; credit and dark-web monitoring offered where available
StatusDisclosed; incident response engaged with external specialists and law enforcement

What Nissan Disclosed

In its disclosure, Nissan said that current and former employees may have had personal information exposed after threat actors exploited a vulnerability in Oracle PeopleSoft, the human-resources and enterprise software the company uses for functions including payroll. The company said the categories of data potentially involved include contact information, banking details, Social Security numbers, and financial and tax records — the kind of HR and payroll data that PeopleSoft systems are built to hold.

Nissan said it believes the affected population includes current and former employees in the United States, Canada, Mexico, and Brazil. The company has not disclosed a specific number of affected individuals, and the notice is framed around what "may" have been accessed rather than a confirmed enumeration of every record taken. According to reporting, Nissan activated its incident-response protocols on learning of the issue, engaged external cybersecurity specialists, and is cooperating with law enforcement.

The company also outlined remediation and precautionary steps for affected employees. Nissan said it would offer free credit monitoring and dark-web monitoring where available, and reporting indicates it has restricted access to pay slips and direct-deposit changes to company-network computers or secured VPN connections — a control aimed at limiting follow-on fraud against the same payroll data that was exposed.

Affected-Employee Notification Process

For the people whose data is involved, the practical substance of a disclosure like this is the notification process and the protections attached to it. Nissan said it has begun directly notifying affected current and former employees, with the offer of credit and dark-web monitoring services serving as the standard mitigation for a breach that exposes financial identifiers such as Social Security numbers and banking details.

The data categories at issue shape the risk. Social Security numbers, banking information, and tax records are durable identifiers that cannot be rotated the way a password can, which is why monitoring and fraud-watch measures — rather than a simple credential reset — are the typical response. The reported restriction of pay-slip access and direct-deposit changes to corporate-network or VPN connections addresses one specific abuse path, payroll-diversion fraud, in which an attacker uses stolen employee data to redirect salary payments.

Because Nissan has not published a count, the full scope of the notification effort is not yet quantified publicly. Former employees — who may no longer monitor a corporate inbox — are a notable part of the affected population here, spanning four countries with different breach-notification regimes. That cross-border footprint is itself a feature of large-employer breaches tied to centralized HR platforms, where a single compromised system can implicate staff across multiple jurisdictions at once.

The Broader Oracle Vulnerability Cycle

The vulnerability behind the Nissan disclosure is CVE-2026-35273, a critical server-side request forgery (SSRF) flaw in Oracle PeopleSoft PeopleTools. Mandiant has reported that threat actors exploited it as a zero-day in data-theft attacks carried out between May 27 and June 9, 2026 — before Oracle's mitigations were in place — and has tied the activity to the same campaign that the extortion group ShinyHunters has been associated with across other PeopleSoft victims.

The scale of that campaign is what makes Nissan one data point among many. Mandiant has said it notified more than 100 organizations, and reporting indicates roughly 300 PeopleSoft instances were affected before mitigations were applied, with HR, payroll, and other enterprise data among the categories the actors claimed to have taken. The same CVE has already surfaced in CyberSignal's coverage of attacks on higher-education institutions, and Nissan's notice extends that pattern into the automotive and large-enterprise space.

Nissan's disclosure also arrives against a wider Oracle backdrop. Separately from PeopleSoft, attackers have been actively exploiting an unrelated Oracle E-Business Suite flaw, CVE-2026-46817, a critical bug in the Oracle Payments component carrying a CVSS score of 9.8, with in-the-wild exploitation first recorded on June 27, 2026. The convergence — two distinct critical Oracle vulnerabilities under active attack within weeks of one another — is the cycle that customer disclosures like Nissan's, and like the US federal insurance regulator's breach notice, make concrete.

Sector-Advisory Implications for Oracle PeopleSoft Customers

For organizations that run Oracle PeopleSoft, the value of a disclosure like Nissan's is less in its specifics than in what it confirms about exposure. CVE-2026-35273 was exploited as a zero-day against internet-reachable PeopleSoft deployments to reach exactly the kind of HR and payroll data Nissan described. Any organization that ran an affected, externally accessible PeopleSoft instance during the late-May to mid-June window is, by the campaign's own scale, a plausible target rather than an unlikely one.

The first task for PeopleSoft operators is confirmation rather than discovery: verify that Oracle's mitigations and patches for CVE-2026-35273 are applied across every PeopleSoft and PeopleTools instance, including non-production and legacy environments that may be reachable from the internet. Because the flaw was exploited before fixes were broadly deployed, patch status alone does not answer the more important question — whether a given instance was accessed during the exposure window — which makes log review and indicator-of-compromise hunting a parallel priority to patching.

Beyond the single CVE, the episode is a prompt to treat centralized HR platforms as the high-value, sensitive-data systems they are. The data Nissan flagged — Social Security numbers, banking details, tax records — concentrates in PeopleSoft precisely because it is the system of record for payroll. That concentration is what turns one SSRF flaw into a multi-country employee-data incident, and it is the reason restricting external reachability, monitoring access, and rehearsing a notification process belong in the standing posture for any large PeopleSoft estate.

Open Questions

Several specifics remain unresolved at disclosure. Nissan has not published a count of affected individuals, so the true scale of the breach within its own workforce is not yet public. The company's framing — that data "may have" been accessed — leaves open how much of the potentially exposed data was actually exfiltrated, as distinct from merely reachable, a distinction that often sharpens only as an investigation progresses.

It is also not publicly confirmed whether the data tied to Nissan has appeared on any extortion or leak channel, or what demands, if any, accompanied the intrusion. Given that the broader campaign has been associated with an extortion group, the possibility of follow-on pressure exists, but the current disclosure does not assert it, and CyberSignal is not treating unverified extortion claims as established fact.

What is confirmed is enough to act on: a critical, actively exploited Oracle PeopleSoft zero-day, CVE-2026-35273, used in a campaign that reached more than 100 organizations and has now produced a named, high-profile customer disclosure exposing payroll-grade employee data across four countries. For other PeopleSoft operators, the prudent reading is to treat Nissan's notice not as a distant incident but as a sector advisory — and to verify their own exposure to the Oracle vulnerability cycle accordingly.


Sources

TypeSource
PrimaryNissan — employee data breach disclosure (as reported)
ReportingSecurityWeek — Nissan Employee Data Breached in Oracle PeopleSoft Hack
ReportingBleepingComputer — Nissan discloses employee data breach linked to Oracle zero-day attacks
ReportingThe Register — Nissan says Oracle PeopleSoft break-in may have spilled payroll records, SSNs
RelatedThe CyberSignal — ShinyHunters Oracle PeopleSoft CVE-2026-35273 Zero-Day Hits Higher Education
RelatedThe CyberSignal — Oracle E-Business Suite Payments CVE-2026-46817 Active Exploitation