Car maker Nissan began informing current and former employees late last week of a data breach driven by a vulnerability in the software used to manage staff data.
According to a pair of letters filed with the California Attorney General’s Office – one to current staff and one to former workers – Nissan is one of “hundreds of companies” informed by Oracle of a widespread campaign targeting CVE-2026-35273, which itself was only disclosed this month.
“Nissan Americas uses Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records,” Nissan said in its letters.
“Oracle has informed us that there was a cyber event and that the personnel records of hundreds of companies may have been obtained by so-called threat actors. We have since learned that Nissan was specifically targeted in this attack.”
The company said it was working with external experts to secure its systems and was in communication with the relevant authorities.
“We are working to complete our investigation as quickly as possible to understand the full scope and impact,” Nissan said.
“Though we are early in that process, we believe some personal information has been accessed, such as contact and banking information, Social Security Number / Social Insurance Number / National Identification Number, financial and tax data, and dependent / beneficiary information.”
Nissan believes the incident impacts employees from the USA, Canada, Mexico, and Brazil.
While Nissan has not yet been listed by the hacking collective known as ShinyHunters, the hackers have listed details of a breach impacting the National Association of Insurance Commissioners (NAIC), which disclosed on 17 June that it had detected “unauthorised access to our PeopleSoft systems” at some point around 11 June, about the same time Oracle made its initial disclosure.
NAIC has been continuing to update its incident disclosure notice, and as of 26 June, the company believed the data impacted by the event did not include “PII or payment and financial account information”.
Nonetheless, ShinyHunters has published 3.1 terabytes of NAIC data, allegedly including “approximately 264k insurer regulatory filing PDFs spanning property/casualty, health, and life/A&H lines from 2017–2024; 2k bulk order and customer records with purchaser names, email addresses, and payment transaction identifiers”.
More than 100 organisations are thought to have been impacted by the breach, most of them in the education sector.
Jake Knott, principal security researcher at watchTowr, said that what makes this zero-day stand out is that it is far from simple to exploit.
“The attack chain is considerably more involved, combining multiple vulnerabilities to plant a malicious file that doesn’t execute immediately but waits until the server restarts. Where we would normally see simple bugs, this is a chain of multiple vulnerabilities, suggestive of a threat actor with genuine knowledge of and familiarity with the underlying codebase, and the ability to develop targeted capabilities against it,” Knott told Cyber Daily.
“If we were able to piece it together that quickly, it’s reasonable to assume that other researchers, and more importantly, attackers, could do the same.”
Knott said that, essentially, simply patching is not enough to resolve this form of compromise, as attackers move too fast and can gain persistent access that lasts beyond the patching cycle.
“With confirmed in-the-wild exploitation, organisations should assume compromise and activate incident response processes to determine whether attackers gained access before patches were applied, what they accessed, and whether they established persistence,” he said.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.