What's Happening?
Nissan has disclosed a significant data breach affecting current and former employees, resulting from a zero-day vulnerability in Oracle's PeopleSoft software. The breach, which occurred between May 27 and June 9, exposed sensitive personal data, including
Social Security numbers, banking details, and tax records. The flaw, identified as CVE-2026-35273, is a critical remote code execution bug that was exploited by attackers. Nissan was specifically targeted in a broader campaign linked to the ShinyHunters extortion group, which has reportedly affected over 100 organizations, primarily universities. In response, Nissan has secured its systems, is collaborating with Oracle, and is offering affected employees free credit or dark web monitoring services.
Why It's Important?
This breach highlights the vulnerabilities in enterprise software systems and the potential risks they pose to large corporations and their employees. The exposure of sensitive employee data can lead to identity theft and financial fraud, impacting the personal and financial security of those affected. For Nissan, this incident could result in reputational damage and potential legal liabilities. The breach also underscores the importance of robust cybersecurity measures and timely patching of software vulnerabilities to protect against such attacks. The involvement of the ShinyHunters group, known for targeting multiple organizations, indicates a persistent threat to corporate and educational institutions.
What's Next?
Nissan is continuing its investigation into the breach and plans to contact affected individuals directly. The company has implemented additional security measures, including restricting payroll access and enhancing identity verification processes. Employees are advised to remain vigilant against phishing attempts and to update their passwords and enable multi-factor authentication. Oracle has issued an advisory and mitigations for the vulnerability, but the incident serves as a reminder of the need for ongoing vigilance and proactive cybersecurity strategies. Other organizations using Oracle PeopleSoft may also need to assess their systems for potential vulnerabilities.
