Nissan Data Breach Linked to Oracle PeopleSoft Zero-Day Hack

Nissan has confirmed a data breach affecting current and former employees. The Nissan data breach traces back to a zero-day vulnerability in Oracle PeopleSoft, the software the automaker uses to manage payroll, tax records, and personnel files. It is part of a wider campaign that has already hit dozens of organizations across multiple sectors. The incident shows how quickly a single software flaw can ripple into companies far outside its original target list.

Nissan disclosed the breach in notifications filed with the California Attorney General's Office. Oracle told Nissan that hundreds of companies may have had personnel records accessed by attackers. Nissan was specifically targeted during the campaign. Nissan Americas relies on Oracle PeopleSoft to handle payroll, tax administration, and other personnel records, so the platform offered a direct path into sensitive employee data.

What the Nissan Data Breach Exposed

Nissan says it is still early in its investigation. The company has not finalized the full scope of the incident, but it believes attackers accessed employee contact details, banking information, Social Security numbers, Social Insurance Numbers, and National Identification Numbers. Financial and tax records were also potentially exposed, along with dependent and beneficiary information.

The breach affects current and former employees across the United States, Canada, Mexico, and Brazil. The exposed data includes banking and tax records, so the risk extends well beyond simple identity theft. Attackers with this level of detail can attempt fraudulent tax filings or open lines of credit. They can also target employees directly with convincing phishing attempts built around real personal details.

How Nissan Responded

Nissan activated its incident response process as soon as it learned of the breach. The company engaged external cybersecurity experts and secured affected systems. It also began working directly with Oracle to address the underlying issue, and it took steps to cut off unauthorized access.

As a precaution, Nissan now restricts access to employee payslips and direct deposit changes. Employees must use company network computers or secured VPN connections to view this data. The automaker is also rolling out additional identity verification steps before processing payroll requests, a direct response to the fraud risk tied to exposed banking data. Nissan plans to notify affected employees individually once it confirms whose information was compromised, and it will offer free credit and dark web monitoring services where available.

A Wider Oracle PeopleSoft Campaign

The Nissan incident connects to a story SafeState has tracked closely for weeks. Researchers reported widespread exploitation of Oracle PeopleSoft servers earlier this month, tied to the extortion group ShinyHunters. The group claimed responsibility for the campaign and said it had breached over 300 PeopleSoft instances across roughly 100 organizations.

Oracle later disclosed a critical PeopleSoft PeopleTools vulnerability, tracked as CVE-2026-35273, and released emergency mitigations. Mandiant independently confirmed that attackers exploited this flaw as a zero-day between May 27 and June 9. Most of the early confirmed victims sat in the education sector. That timeline matches breaches SafeState already covered, including the University of Nottingham breach, where more than 450,000 student records were exposed, and the breach affecting the National Association of Insurance Commissioners.

The Nissan data breach marks a notable shift in this campaign. Earlier confirmed victims clustered in education and public sector organizations, but now an automaker joins the list. This shows the campaign reached well into private enterprise HR systems. Any organization running Oracle PeopleSoft for payroll or personnel management should treat this as a signal to check its own exposure, rather than assume the campaign stayed confined to universities and associations.

ShinyHunters' Broader Pattern

ShinyHunters has built a reputation for targeting cloud platforms and third-party integrations instead of breaking into companies one at a time. The group has previously hit Salesforce environments, Snowflake customer instances, and SaaS integration partners. Each successful intrusion lets it pivot toward dozens of downstream victims at once.

The group's recent activity also includes an attack on Instructure's Canvas learning platform. ShinyHunters claimed to have stolen 280 million records from students, teachers, and staff across thousands of schools in that campaign. Instructure ultimately paid a ransom to keep that data off the group's leak site. Whether Nissan faces a similar extortion attempt remains unclear, but recent ShinyHunters campaigns often end with data leak threats following the initial disclosure.

What Employees and Businesses Should Do

Current and former Nissan employees in the affected regions should watch for official notifications. They should also treat unsolicited messages referencing the breach with caution, because attackers often use real breach details to craft convincing phishing emails. Anyone offered credit monitoring through Nissan should enroll promptly. Monitoring bank statements and tax filings for unusual activity is also a reasonable precaution, given the sensitivity of the exposed data.

Businesses running Oracle PeopleSoft internally should confirm that Oracle's emergency mitigations for CVE-2026-35273 are in place. They should also review access logs for signs of unauthorized activity during the late May and early June exploitation window. The Nissan data breach is unlikely to be the last disclosure tied to this campaign. Organizations using the same platform should not wait for a notification letter before checking their own systems.