Nissan / PeopleSoft Breach: When HR Is Also Your Financial Data Repository
Nissan Americas has confirmed employee SSNs, banking and tax data were exposed through the Oracle PeopleSoft zero-day (CVE-2026-35273) campaign linked to ShinyHunters. Mark Fermor on why HR systems keep becoming citizen-scale breaches.

Mark Fermor
Director & Co-Founder, Firevault

Nissan Americas has filed a California Attorney General breach notification confirming that employee records were exposed through the recent Oracle PeopleSoft zero-day campaign, tracked as CVE-2026-35273 and attributed by researchers to the ShinyHunters extortion group.
PeopleSoft is used by Nissan Americas to manage tax administration, payroll and other employee records. The carmaker believes attackers may have taken data on current and former employees across the US, Canada, Mexico and Brazil, including Social Security numbers, banking information, and financial and tax data.
The facts
- Vector: Oracle PeopleSoft zero-day CVE-2026-35273, exploited before a patch was available.
- Nissan Americas users of PeopleSoft for tax, payroll and other employee records; filing lodged with the California AG.
- Data potentially taken: SSNs, banking information, financial and tax data for current and former employees in the US, Canada, Mexico and Brazil.
- Attribution: ShinyHunters, the extortion group also credited with the wider PeopleSoft campaign said to have targeted 100+ organisations.
- Other confirmed or reported victims: the University of Nottingham, the National Association of Insurance Commissioners (NAIC), Illinois Central College and Moody Bible Institute, with the education sector said to be the most heavily hit.
- Context: Nissan has been hit multiple times in the past year, including the Everest ransomware group's April claim and downstream exposure from the Red Hat data breach.
Source: SecurityWeek, Nissan Employee Data Breached in Oracle PeopleSoft Hack.
Why this matters
HR and payroll platforms are quietly the most sensitive citizen-scale datasets most enterprises operate. They hold government identifiers, bank account details and tax numbers for the entire workforce and its alumni, spanning every jurisdiction the company employs in.
When a single unauthenticated zero-day lands in that platform, the blast radius is not "some employees". It is every current and former employee across every country the platform served. And unlike customer data, employees cannot walk away from the exposure. Their identifiers do not rotate.
This is why HR platforms have become such a valuable target for extortion groups. One vulnerability, one credential, one dwell period, and the attacker walks out with a decade of workforce identity.
The structural problem
Every mitigation available in the coverage arrives after the fact. Patch the CVE. Rotate credentials. Notify the regulators. All necessary. None of them recover a copy that has already been staged and exfiltrated.
The dataset itself continued to sit on an internet-reachable enterprise application server, joined at the hip to authentication, integrations and admin tooling. A single unauthenticated vulnerability in that application collapses the entire perimeter around a decade of workforce records at once.
"Enterprise SaaS is hardened" is not a control. It is a bet. When the bet loses, the entire employee population is exposed in a single event.
The Firevault position
The master record of workforce identity data, and its recovery copies, should not live on the same network path as the operational HR application.
The live PeopleSoft, Workday or SAP HR instance is fine on the wire. That is what it is for. What has no business being on the wire is the archival gold copy that the organisation depends on to restore, audit and reconstruct.
Firebreak enforces that severance at the physical layer. Offline Secure Storage holds employee identity archives beyond the reach of a zero-day in the operational system, a compromised administrator, or an extortion group already inside the network. It does not stop the live application from being breached. It stops the breach from becoming permanent, and it preserves an untampered evidentiary copy for regulators and for the eventual restore.
The point is architectural. If your only copy of the workforce identity record is inside the same platform an unauthenticated CVE just landed on, you do not have a backup strategy. You have a hope.
— Mark Fermor, Co-founder and CEO, Firevault
What HR and IT leaders should do this week
- Inventory every enterprise application holding Social Security or National Insurance-equivalent numbers, banking details, and tax data for employees. Treat those systems as citizen-scale, not "internal".
- Separate the archival copy of that data from the operational system at the network layer, not only in backup policy or cloud tiering.
- Require a physically air-gapped recovery copy for any HR or payroll platform. Cloud immutability is a delay, not a wall.
- Rehearse a notification drill that assumes an unauthenticated zero-day in the primary HR platform. Time how long it takes to answer: whose data, which jurisdictions, which regulators, and what changed.
Related from Firevault
Suggested Reading
- What is Offline Secure StorageThe foundation of physical disconnection
- Why Offline Secure StorageThe case for physical control
- Ransomware DefenceHold gold copies offline
- Firevault ControlPhysical path control for IT and OT
- Knowledge VaultAll articles, guides and whitepapers
- Book a DemoSee Firevault in action




