On July 3, 2026, breach notifications arrived in a cluster: Nissan, Kubota North America, and Aflac’s Japan subsidiary all confirmed data theft, joining the National Association of Insurance Commissioners and a growing list of universities and corporations. Most of these disclosures trace to a single cause. Between May 27 and June 9, 2026, threat actors linked to the ShinyHunters extortion ecosystem exploited CVE-2026-35273 — a critical remote code execution vulnerability in Oracle PeopleSoft — as a zero-day, before Oracle shipped an emergency patch on June 10. Google’s Mandiant, which investigated the campaign, has tied it to more than 100 organizations and over 300 individual PeopleSoft instances.

If the shape of this feels familiar, it should. This is the Cl0p/MOVEit playbook of 2023 executed against a new class of target: not a file-transfer utility at the network edge, but the enterprise resource planning software that sits at the heart of HR, payroll, and finance. The 2026 Verizon DBIR documented vulnerability exploitation overtaking phishing as an initial access vector; the PeopleSoft wave is what that statistic looks like when it lands on a specific product with a specific extortion crew behind it.

This article maps the wave — who was hit, what was taken, which vector applies to whom — and then works through the compliance problem it creates: a mass-exploitation event where the stolen data is overwhelmingly employee data, spread across four countries’ notification regimes in a single victim’s case.

The Vulnerability and the Campaign

CVE-2026-35273 is a critical unauthenticated remote code execution flaw in Oracle PeopleSoft. According to Mandiant, exploitation began on May 27, 2026 and ran as a zero-day until Oracle released an out-of-band emergency patch on June 10 — a roughly two-week window in which any internet-reachable, unpatched PeopleSoft instance was effectively open.

PeopleSoft is a productive target for the same reason MOVEit was: it concentrates exactly the data extortionists monetize best. PeopleSoft HCM deployments hold employee master records — names, addresses, Social Security and other government identification numbers, bank accounts for direct deposit, tax withholding data, dependents and beneficiaries. A single successful exploit yields the complete workforce file of the victim, current and former employees included.

The campaign has been attributed to actors associated with ShinyHunters, the extortion collective whose fingerprints are all over 2026’s breach ledger — from MSG Sports to Moody Bible Institute to the Medtronic breach affecting roughly nine million records disclosed the same week. The pattern is data theft followed by extortion-portal listings and staged leaks, not encryption. Most named victims in the PeopleSoft campaign have so far been universities — heavy PeopleSoft users — which makes the corporate names below the visible tip of a much longer disclosure tail still to come.

The Victims: Who, What, and Through Which Door

Precision about attribution matters here, because the July 3 disclosure cluster mixes confirmed PeopleSoft victims with same-week incidents that arrived through different doors.

Confirmed or reported PeopleSoft-campaign victims

Nissan (disclosed to employees, reported July 3) is the clearest corporate case. Nissan Americas runs Oracle PeopleSoft for payroll, tax administration, and personnel records. The company confirmed that attackers exploiting the Oracle zero-day may have accessed data on current and former employees across the United States, Canada, Mexico, and Brazil, including names, contact details, bank account information, tax records, government-issued identification numbers, and information about dependents and beneficiaries. Nissan has engaged external forensic support, secured the affected systems, and is working with Oracle.

Kubota North America disclosed theft of employee data in the same wave: full names, Social Security numbers, dates of birth, driver’s licenses, bank account information, and benefits data — the standard PeopleSoft HCM haul.

National Association of Insurance Commissioners (NAIC) — the standards body for US state insurance regulators — confirmed its breach stemmed from the PeopleSoft zero-day, with ShinyHunters publishing 3.1 TB of data. The NAIC says no PII or payment data was accessed; we examine that incident, and what it means when the regulator’s own infrastructure is the victim, in a dedicated article.

Aflac’s Japan subsidiary disclosed on the same day that policyholder information — policy and coverage details, personal information, and bank account data — was exposed. Public reporting groups it with the July 3 wave; the insurance-sector concentration is consistent with the campaign’s victimology, though organizations should watch Aflac’s own notices for confirmed vector details.

Same week, different doors

Two more disclosures landed in the same news cycle and are easy to conflate with the PeopleSoft campaign. They should not be.

Nidec Corporation, the Japanese motor manufacturer, was claimed by the Blackfield ransomware gang — a separate actor and, by all current reporting, a separate intrusion. Scope is unconfirmed.

KDDI, the Japanese telecommunications giant, disclosed on June 23 (with the story developing into July) that attackers exploited a vulnerability in third-party software in its email infrastructure, exposing up to 14.22 million email addresses and passwords across six ISPs that share the platform: STNet, JCOM, Chubu Telecommunications, Nifty, Biglobe, and KDDI Web Communications. KDDI discovered the intrusion on June 17 and says some passwords were hashed or encrypted — without specifying the algorithm or the proportion stored in recoverable form, which is the detail that determines whether 14 million accounts need urgent password resets or merely precautionary ones.

The KDDI incident is not PeopleSoft, but it rhymes: a shared third-party platform, one vulnerability, and a blast radius spanning six brands and their customers. Whether the aggregation point is an ERP system, an email platform, or a federal information-sharing network, the structural lesson of the week is the same — concentration of data behind a single software boundary converts one vulnerability into an industry event.

The Compliance Problem: Employee Data Across Four Jurisdictions

Take Nissan as the working example, because its footprint makes the problem concrete. One intrusion, one system, four countries of affected employees — and four distinct legal regimes, none of which defers to the others.

United States. There is no federal breach-notification statute for employee data; Nissan must apply the state-by-state patchwork based on where affected current and former employees reside — realistically, all fifty states plus DC for a workforce that size. The data types here (SSNs, bank accounts, government IDs) sit inside every state’s definition of personal information, so no risk-of-harm analysis is likely to relieve the duty. That means dozens of parallel clocks — hard deadlines of 30, 45, or 60 days in many states — plus attorney-general notice in states with regulator-notification thresholds, which a breach of this size will exceed everywhere thresholds exist. Former employees are the operational trap: their addresses are stale, they no longer read company communications, and they are owed the same notice as current staff.

Canada. Under PIPEDA, a breach of security safeguards creating a real risk of significant harm (RROSH) requires notice to the Office of the Privacy Commissioner and to affected individuals as soon as feasible, plus a mandatory internal breach record retained for two years. Stolen SINs and banking data clear the RROSH bar without difficulty. Employees in Alberta, and in Quebec under Law 25 (with its own notification duty to the CAI), add provincial layers.

Mexico. The LFPDPPP requires data controllers to notify affected data subjects without delay of breaches that significantly affect their patrimonial or moral rights — and stolen payroll banking data is close to the paradigm case. Mexico’s regime routes primarily through notice to individuals rather than a regulator filing, but the reformed data protection authority has shown increasing appetite for post-breach scrutiny.

Brazil. The LGPD (Article 48) requires notice to the ANPD and to affected data subjects of incidents likely to cause relevant risk or damage, and the ANPD’s incident-reporting regulation sets an expectation of notification within three business days of awareness — the tightest clock in Nissan’s stack, and one that likely expired long before the July 3 public reporting unless Nissan filed quietly in June.

The point generalizes beyond Nissan. Employee data breaches are multi-jurisdiction breaches by default, because workforces are distributed and former employees scatter. Any multinational running a centralized HR system has pre-positioned this exact problem: one ERP instance, one vulnerability, and every jurisdiction where anyone on the payroll — past or present — happens to live.

The ERP Zero-Day as a Class: Lessons from MOVEit, Applied

The MOVEit campaign taught the compliance field a set of lessons that the PeopleSoft wave now re-administers to organizations that did not internalize them:

1. Patch SLAs are meaningless against a zero-day; exposure management is not. No patching cadence would have protected a victim between May 27 and June 10 — the fix did not exist. What separated victims from non-victims was attack surface: whether the PeopleSoft instance was reachable from the internet at all, and whether compensating controls (WAF rules, access gating through VPN or zero-trust proxies) stood in front of it. ERP systems rarely need to be directly internet-facing; the ones that were, paid for it.

2. Emergency patching is a governance capability, not an IT ticket. Oracle shipped the fix June 10. Every day of delay after that was a choice. Organizations need a defined out-of-band patching path for actively exploited critical vulnerabilities in business-critical systems — one that can override change-freeze calendars, because attackers do not observe them. CISA’s KEV catalog listing and vendor security alerts should trigger that path automatically.

3. “Determine what was taken” is the long pole, and the notification clocks do not wait for it. Mandiant’s campaign window is known; what left each individual instance is a per-victim forensic question involving large HR datasets. Several regimes (LGPD’s three business days, state AG deadlines) will expire before forensics completes. The workable pattern, visible in how the July 3 victims sequenced their disclosures, is staged notification: preliminary regulator notices on the statutory clock, supplemented as scoping matures. Silence until certainty is the one strategy that fails everywhere.

4. The extortion layer changes the notification calculus. ShinyHunters leaks what it is not paid for. Organizations that delay individual notice while negotiating are gambling that affected employees will not learn of the breach from a leak site first — a gamble that, post-MOVEit, regulators and plaintiffs’ counsel treat harshly. Assume publication; notify accordingly.

5. Expect the second wave. Mass HR-data theft feeds follow-on crime with a long tail: tax-refund fraud in the next filing season, direct-deposit redirection attacks against payroll departments, and highly convincing spear-phishing using dependents’ and beneficiaries’ details. Notification letters and credit monitoring address individual identity theft; payroll and HR operations teams need their own hardening — out-of-band verification for bank-detail changes above all.

If You Run PeopleSoft: The Immediate Checklist

  • Confirm the June 10 emergency patch for CVE-2026-35273 is applied to every instance — production, development, test, and the forgotten one a business unit stood up in 2019. Development instances hold copied production data more often than anyone admits.
  • Hunt, don’t assume. The campaign ran from May 27; patching on June 10 closed the door but did not evict anyone already inside. Review logs across the exploitation window for web shells, anomalous service-account activity, and bulk data access, using the published Mandiant indicators.
  • Inventory internet exposure. If an instance is directly reachable from the internet, make it not so, or gate it behind authenticated proxies. This is the control that would have worked against the zero-day.
  • Pre-map your notification matrix now, before you need it: which jurisdictions your current and former workforce spans, which regulators get notice, which clocks are shortest. Doing this during an incident, as we noted in the June breach-cluster analysis, is where notifications lapse.
  • Brief payroll and HR operations on direct-deposit fraud and verification procedures, whether or not you find evidence of compromise.
  • If you are a downstream partner of a victim — a benefits administrator, a payroll processor, a pension provider receiving feeds from an affected ERP — assess your own exposure and contractual notice duties. Waves like this propagate through data-sharing relationships, as the iRhythm third-party breach demonstrated in the healthcare context.

Conclusion

The July 3 disclosure cluster is what a supply-chain-shaped mass exploitation event looks like in its second act. The first act — the zero-day window in late May and early June — was invisible to almost everyone. The second act is a rolling procession of breach notices from organizations that share nothing except a software product, with universities, an insurance standards body, and three multinational corporations already named and a long tail of victims still drafting letters.

The strategic takeaway is uncomfortable but clear. ERP systems have joined file-transfer appliances, VPN concentrators, and email platforms in the category of software whose compromise is an industry event rather than a company event. For those systems, the traditional compliance posture — patch on schedule, trust the perimeter, scope obligations when an incident happens — is structurally too slow. Exposure reduction before the zero-day, emergency patching governance during it, and a pre-built multi-jurisdiction notification map after it are the three controls that determine whether an organization rides out the next wave or headlines it.

There will be a next wave. ShinyHunters has already shown its 2026 operating model: find the system where the data concentrates, and break the one lock in front of it.

Sources: BleepingComputer — Nissan discloses employee data breach linked to Oracle zero-day attacks, The Register — Nissan says Oracle PeopleSoft break-in may have spilled payroll records, SSNs, SecurityWeek — Nissan employee data breached in Oracle PeopleSoft hack, BleepingComputer — NAIC says public data stolen in ShinyHunters’ PeopleSoft breach, Privacy Guides — Data Breach Roundup (June 26 – July 2, 2026), BleepingComputer — Data breach exposes up to 14.2 million email logins at six ISPs, The Japan Times — Information for 14 million email accounts possibly leaked in cyberattack on KDDI

This article is provided for informational purposes only and does not constitute legal advice.