NISSAN reported a breach of employee data after attackers exploited a zero‑day vulnerability in Oracle PeopleSoft, exposing Social Security numbers and banking details of current and former staff according to the California Attorney General’s filing.
The flaw, which has not yet been assigned a CVE, allowed unauthenticated access to the PeopleSoft HR module, letting threat actors dump tables containing payroll and personal information as reported by Infosecurity Magazine.
ShinyHunters, the group credited with the intrusion, has been linked to a wider campaign that has hit more than one hundred organisations, mostly universities, and the SecurityWeek article notes that Nissan is now among the confirmed victims per SecurityWeek.
The attack fits a pattern of targeting legacy enterprise applications that lack timely patches, with earlier victims including the University of Nottingham and the National Association of Insurance Commissioners, and it highlights the risk that a single zero‑day in a widely deployed HR system can spill across sectors.
Defenders should apply the emergency patch that Oracle has released for the affected PeopleSoft component, restrict privileged accounts to only those strictly required, enforce multi‑factor authentication on all remote access points, and review logs for unusual queries or data export attempts.
Organisations should also notify potentially impacted individuals as required by law, consider offering credit monitoring services, and use this incident to update threat models and response playbooks to cover zero‑day exploits in third‑party software.