Threat actors exploited an Oracle PeopleSoft zero-day vulnerability (CVE-2026-35273) to breach Nissan's employee data systems, stealing sensitive personal information. This vulnerability was part of a broader attack campaign attributed to the ShinyHunters extortion group, which targeted hundreds of organizations globally. Nissan uses Oracle PeopleSoft for managing employee records, including payroll and tax data. The breach notification indicates that attackers accessed a wide range of personal data for current and former employees in multiple countries. Nissan responded by activating incident response, engaging cybersecurity experts, securing systems, restricting access to payroll functions, and collaborating with Oracle. Oracle disclosed emergency mitigations but has not publicly confirmed exploitation details or patch availability. Mandiant confirmed exploitation of this zero-day in data theft attacks primarily affecting the education sector. ShinyHunters has leaked data from other victims, underscoring the ongoing threat.

The breach exposed sensitive personal information of current and former Nissan employees, including contact details, banking information, Social Security and national identification numbers, financial and tax data, and dependent and beneficiary information. This exposure increases the risk of identity theft, financial fraud, and privacy violations for affected individuals. The breach affects employees in the United States, Canada, Mexico, and Brazil. The incident also highlights the risk posed by zero-day vulnerabilities in widely used enterprise software and the potential for extortion groups to leverage such exploits for data theft and ransom demands.

Oracle has released emergency mitigations for the CVE-2026-35273 vulnerability; however, the official patch status is not confirmed in this data. Nissan has secured affected systems, restricted access to sensitive payroll functions to secured environments, and implemented additional identity verification measures. Affected individuals are being offered credit and dark web monitoring services where available. Organizations using Oracle PeopleSoft should apply Oracle's emergency mitigations immediately and monitor vendor advisories for official patches. Incident response and forensic investigations should be conducted to assess and contain breaches. No contradictory vendor guidance indicating 'no action required' is present.