The carmaker said personnel information belonging to current and former staff in the United States, Canada, Mexico and Brazil may have been accessed through Oracle PeopleSoft, the enterprise platform it uses for payroll, tax administration and other employee records. The exposed data may include contact details, banking information, Social Security numbers, Social Insurance numbers, national identification numbers, financial and tax records, and dependent or beneficiary information.
The disclosure, made through employee notifications dated June 25, places Nissan among the most prominent corporate victims identified in a campaign that has hit widely used human resources and payroll systems. The breach did not stem from a conventional phishing attack against Nissan employees, but from exploitation of a previously unknown software weakness in a system that stores highly sensitive workforce data.
The flaw, tracked as CVE-2026-35273, affects Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It carries a CVSS severity score of 9.8, the highest critical range, and can be exploited remotely over HTTP without authentication. Successful exploitation may allow remote code execution and compromise of PeopleSoft environments.
Oracle issued an emergency security alert on June 10 after evidence emerged that the vulnerability had already been exploited. The attack activity was observed between May 27 and June 9, making it a zero-day campaign before the vendor advisory and mitigation guidance were released. The weakness affects the Updates Environment Management component and has been associated with exposed PeopleSoft Environment Management Hub endpoints.
Nissan said it activated incident response protocols, brought in external cybersecurity experts, secured affected systems and worked with Oracle to address the issue. The company also said it had been in contact with authorities and was arranging credit or dark-web monitoring services where available for affected individuals. Employees were advised to watch for phishing attempts, change reused passwords, enable multi-factor authentication and monitor financial accounts for suspicious activity.
The case underscores the growing value of HR platforms to cybercriminal groups. Payroll and personnel systems often hold a concentration of identity, banking, tax and family information that can be used for fraud, extortion and targeted social engineering. Unlike customer databases, which usually receive close public scrutiny, internal workforce platforms can be overlooked even though they carry equally sensitive data.
The wider PeopleSoft campaign has been linked by threat researchers to UNC6240, also known as ShinyHunters, a financially motivated group associated with data theft and extortion. The activity involved attempts to compromise PeopleSoft infrastructure, move laterally and stage stolen data for pressure campaigns against victims. More than 100 organisations were notified of potential exposure, with universities and colleges making up a large share of identified targets.
Nissan’s disclosure also highlights a difficult chronology for large enterprises relying on third-party enterprise software. The exploitation window opened before customers had a patch to apply, leaving response teams dependent on detection, network restrictions, log review and post-compromise containment. Once the advisory was issued, organisations running affected PeopleTools versions had to patch quickly while also checking whether attackers had already entered their environments.
Security teams are being urged across the affected customer base to review access logs from late May and early June, look for suspicious traffic to PeopleSoft endpoints, restrict external access to management services and validate whether any outbound connections were made from PeopleSoft servers to untrusted infrastructure. Patching alone may not be sufficient where attackers had already established access before the fix was available.
The breach adds to pressure on companies to reassess the security model around enterprise resource planning and HR software. These systems are often deeply embedded, heavily customised and connected to finance, identity management and compliance processes. That complexity can slow patching and make forensic review more difficult after a zero-day event.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.