Nissan Americas has revealed that a data breach has affected both current and past employees across four nations. This breach resulted from the exploitation of a critical vulnerability within Oracle PeopleSoft software, attributed to the cybercriminal group known as ShinyHunters.
Details of the Oracle PeopleSoft Vulnerability
The attack exploited CVE-2026-35273, a severe vulnerability with a CVSS score of 9.8, identified in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. This flaw allows remote code execution without the need for authentication or user interaction, making it highly dangerous. Oracle responded with an emergency security patch on June 10, 2026, and CISA promptly included the vulnerability in its Known Exploited Vulnerabilities catalog.
Impact on Nissan and Employee Data
According to notifications submitted to the California Attorney General’s Office, Nissan Americas was specifically targeted in this attack. The breach, occurring between May 27 and June 9, 2026, potentially exposed sensitive employee data such as contact information, banking details, Social Security and Insurance Numbers, and financial and tax information. The breach affects employees in the United States, Canada, Mexico, and Brazil.
Nissan has activated its incident response protocols, including engaging cybersecurity experts and law enforcement. To contain the breach, access to payroll systems has been restricted, requiring secure VPN connections and additional authentication measures. Affected individuals are being offered free credit and dark web monitoring services.
Technical Analysis and Indicators of Compromise
Mandiant’s analysis indicates that ShinyHunters deployed remote management agents disguised as legitimate services, facilitating data exfiltration and internal reconnaissance. Compromised servers were marked with a ransom note file. Key indicators of compromise include specific IP addresses and domains used for command and control operations.
Organizations using PeopleTools 8.61 or 8.62 are urged to prioritize patching. Additional recommendations include disabling the PSEMHUB service, monitoring outbound traffic for suspicious activities, and rotating credentials from potentially compromised systems.
This breach underscores the evolving threat landscape for ERP systems, following similar exploits in recent months. Strengthening security operations and accelerating threat detection remain critical for organizations to protect against such sophisticated attacks.
