Nissan North America has informed employees that a cyberattack targeting Oracle PeopleSoft systems exposed sensitive personnel records, making the automaker one of the latest known victims linked to a broader campaign exploiting a critical vulnerability in the widely used HR platform.
The company says it is still investigating the incident but believes attackers accessed personal information belonging to current and former employees in the United States, Canada, Mexico, and Brazil.
In a notification sent to employees, Nissan Americas said Oracle informed the company that a cyber incident affecting PeopleSoft may have resulted in personnel records from “hundreds of companies” being obtained by threat actors. Nissan later determined that it was specifically targeted during the attacks.
After becoming aware of the breach, Nissan said it activated its incident response procedures, notified law enforcement authorities, and engaged internal security teams and external cybersecurity experts to investigate the intrusion. The company says it has secured the affected systems, is working with Oracle on remediation efforts, and has taken steps to stop unauthorized access and prevent further data disclosure.
Nissan North America is the regional division of Japanese automaker Nissan Motor Co., overseeing vehicle manufacturing, sales, financing, and corporate operations across the United States, Canada, and Mexico. The company employs tens of thousands of workers throughout the Americas, making its human resources systems a repository for large volumes of sensitive employee information.
Although the investigation remains ongoing, Nissan told employees that the compromised information may include:
- Contact information
- Banking information
- Social Security Numbers, Social Insurance Numbers, or other national identification numbers
- Financial and tax records
- Dependent and beneficiary information
The company emphasized that it is still determining exactly whose information was accessed and will notify affected individuals as the investigation progresses. Nissan also plans to offer complimentary credit monitoring or dark web monitoring services where available.
As an additional precaution, Nissan has temporarily restricted certain payroll functions. Employees must now access pay slips and direct deposit changes only from company network computers or through secured VPN connections. The automaker is also introducing additional identity verification requirements before processing payroll-related requests to reduce the risk of fraud following the breach.
Employees have also been advised to remain alert to phishing emails, phone calls, and text messages that seek personal information, change passwords on important accounts, enable multi-factor authentication wherever possible, and closely monitor bank accounts and credit reports for suspicious activity.
PeopleSoft campaign
The disclosure comes weeks after Google warned that threat actors were actively exploiting a critical Oracle PeopleSoft vulnerability tracked as CVE-2026-35273, a remote code execution flaw in the Environment Management component of PeopleSoft Enterprise PeopleTools.
According to Google Mandiant and Google Threat Intelligence Group (GTIG), the attacks were conducted by a threat cluster tracked as UNC6240, which researchers linked to the ShinyHunters extortion group. The campaign targeted vulnerable PeopleSoft Environment Management Hub (PSEMHUB) instances between late May and early June, with Google notifying more than 100 organizations believed to have exposed systems. The majority of those organizations were based in the United States, and most belonged to the higher education sector.
Mandiant's investigation found that attackers deployed customized MeshCentral remote management agents disguised as Microsoft Azure services, performed reconnaissance of Oracle PeopleSoft and WebLogic environments, compressed stolen data, and distributed extortion notes across compromised systems using automated scripts. Several organizations later appeared on the ShinyHunters data-leak site following the attacks.
Organizations running Oracle PeopleSoft should ensure that security updates and mitigations for CVE-2026-35273 have been applied; disable the Environment Management Hub service where possible; restrict external access to PSEMHUB endpoints; review WebLogic logs for signs of exploitation; and inspect servers for unauthorized files or other indicators of compromise.
Leave a Reply