"A mass-casualty event across hundreds of unrelated organizations," warned Simon Pamplin, CTO at data security firm Certes, describing a wave of intrusions that has now reached one of the world's largest carmakers.
CVE-2026-35273 and Oracle PeopleSoft
Nissan says attackers exploited an unknown, critical remote code execution flaw in Oracle's PeopleSoft software — tracked as CVE-2026-35273 — to gain access to HR and payroll systems. The vulnerability was used as a zero-day during an exploitation window that Nissan identified between May 27 and June 9. Oracle responded with an out-of-band advisory and mitigations only after the attacks began, according to Nissan's disclosure.
Nissan's disclosure: scope, timeline and data exposed
In a breach notification published on June 26, Nissan said it was specifically targeted in a wider Oracle-related cyber event that Oracle warned affected hundreds of companies. The automaker believes the incident affected current and former employees in the United States, Canada, Mexico and Brazil. Nissan reported that exposed records may include Social Security numbers and other national identification numbers, contact and banking details, financial and tax data, dependent and beneficiary information, and pay- or payroll-related records.
Operational changes at Nissan and support for affected staff
After discovering the compromise, Nissan said it had secured its systems and was working with Oracle on remediation. As a precaution, the company restricted payroll access so that staff must use a network computer or secured VPN to view pay slips or change direct deposit details, and it added extra identity checks before processing payroll requests. Nissan also said it would offer affected staff free credit or dark web monitoring where available, urged employees to watch for phishing, to change reused passwords and to enable multi-factor authentication, and said its investigation was ongoing. The company said affected individuals would be contacted directly.
The wider campaign and the role of ShinyHunters
Public reporting and claims tied the exploitation campaign to the extortion group ShinyHunters, which asserted it had hit more than 100 organizations, mostly universities. Nissan, by contrast, is among the larger corporate names so far identified as a victim of the campaign. Oracle's warning that the event affected hundreds of companies underscores the scale; Simon Pamplin warned that patching the vulnerability does not address data already taken during the exploitation window.
What this means for technologists, affected employees, and regulators
- Technologists and security teams: will need to reconcile post-exploitation remediation with the out-of-band mitigations Oracle issued after the attacks began, and to assume that patching alone does not remediate exfiltrated data, per Certes' assessment.
- Affected employees and former employees: should expect direct contact from Nissan and may be offered credit or dark web monitoring where available; they have been urged by Nissan to enable multi-factor authentication, change reused passwords and watch for phishing targeting personal accounts.
- Procurement and regulators: will weigh the implications of a zero-day in widely used enterprise HR systems, given Oracle's advisory arrived only after exploitation; organizations that use PeopleSoft will face immediate scrutiny of their update, access and monitoring controls.
The breach places a hard fact in the center of three linked realities: a critical PeopleSoft zero-day was weaponized in a campaign that swept across universities and now corporate targets; Oracle issued mitigations only after exploitation was underway; and Nissan says sensitive payroll and identity data for current and former staff across four countries may have been taken. Nissan has tightened payroll controls, is working with Oracle, and will notify affected people — but as Certes' Pamplin notes, those steps cannot return data already removed from systems.
