News and Analysis

Nissan has revealed it suffered a data breach after threat actors exploited flaws in Oracle’s PeopleSoft software, with information on both current and former staff exposed. In a filing with the California Attorney General’s Office, the car manufacturer said it is “working as quickly as possible” to establish the full scale and scope of the breach. An initial investigation by the company reveals that personal information such as contact and banking information, social security numbers, and financial and tax data was exposed in the breach. Current and former employees in the US, Canada, Mexico, and Brazil are among those affected, the company said. “As we continue our investigation, individuals whose personal information has been exposed will receive further communication with additional details and next steps,” the filing reads. Nissan urged employees to take a number of precautionary steps in the meantime, including remaining vigilant for phishing emails or fraudulent phone calls and text messages. Staff were also advised to monitor financial accounts and credit reports for unusual activity, and urged to change passwords for “all significant accounts” – such as banking services. Nissan noted that systems have since been secured and the company is working with technical experts to prevent further leaks. “Upon learning about this issue, we quickly activated incident response protocols. We have been in communication with authorities throughout our response to this attack,” the filing reads. “Our technical teams, along with external experts, have secured our systems and will continue to work with Oracle to address this issue. We have taken steps designed to end unauthorized access and to prevent further disclosure of the information.”Oracle PeopleSoft breachThe announcement by Nissan comes in the wake of a “cyber event” involving Oracle’s PeopleSoft software, which is used to manage employee information such as payroll, tax, and other personnel details. More than 100 organizations are believed to have been affected by the breach so far, which has been linked to the ShinyHunters threat group. Earlier this month, the University of Nottingham was among those impacted by the breach, with data belonging to around 450,000 present and former students compromised in the attack.Simon Pamplin, CTO at Certes, said the breach is a single zero-day in “widely deployed enterprise software can become a mass-casualty event”.“Nissan was not the target of a bespoke attack. It was one of many companies caught in a campaign exploiting a shared vulnerability in HR and payroll infrastructure used across industries,” he said. “The data involved here is particularly serious. Social Security numbers, banking details, tax information and dependent records are not generic employee data. They are the durable financial backbone of a person’s identity, and they were sitting inside a system many organisations treat as core infrastructure rather than a high-value target.”FOLLOW US ON SOCIAL MEDIA