Skip to main content
Home/Blog/Your Payroll System Just Got Hacked. And You Weren't the Target.
Cybersecurity

Your Payroll System Just Got Hacked. And You Weren't the Target.

The Oracle PeopleSoft zero-day that hit Nissan, hundreds of companies, and 455,000 university students exposes a blind spot most businesses haven't fixed yet.

June 30, 2026·7 min read

Last Friday, Nissan Americas sent a sobering letter to its employees: payroll records, Social Security numbers, bank details, and tax data may have been stolen. Not because Nissan's own systems were hacked. Because a piece of software Nissan uses — Oracle's PeopleSoft — had a vulnerability attackers found before Oracle did.

Nissan was specifically targeted, the letter said. But it also acknowledged something broader: "hundreds of companies and institutions" were caught in the same campaign.

That number isn't an exaggeration. Researchers at Mandiant and Google confirmed that more than 100 organizations had already been compromised — 68 percent of them universities — before Oracle even published a patch. The gang behind it is ShinyHunters, a prolific cybercrime group that has become one of the most aggressive extortion operations active today.

This story matters to every business running enterprise software. Here's why.

The Attack Nobody Saw Coming

CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft — the software that manages HR records, payroll, benefits, and financial data for thousands of organizations worldwide. It carries a CVSS score of 9.8 out of 10, which means it is about as dangerous as vulnerabilities get.

What makes it especially concerning: attackers didn't need a username or password. No phishing. No insider access. Just network access to the exposed system, and they were in. From there, they operated as legitimate users inside the application — extracting payroll files, HR records, student data, and financial information through the system's own logic.

The exploitation started May 27. Oracle didn't publish its advisory until June 10 — two weeks later. That entire window was a zero-day: a vulnerability that attackers knew about and were actively exploiting while organizations had no way to know they needed to act.

By the time the advisory was public, the damage was already done for hundreds of organizations.

Why ERP Systems Are the New Breach Frontier

For years, the breach headlines focused on phishing, credential theft, and ransomware. Those threats haven't gone away. But attackers have gotten more sophisticated about where they hunt for valuable data.

Enterprise resource planning (ERP) systems like Oracle PeopleSoft, SAP, and Workday hold the most sensitive operational data a company has: every employee's personal and financial information, payroll details, benefits records, organizational charts, and internal financial data. In many cases, that data is more valuable to attackers than customer records — it can be used for targeted fraud, identity theft, tax scams, and direct payroll diversion.

They also tend to be under-monitored. Security teams often focus heavily on perimeter defenses and endpoint detection. The ERP system, running quietly in the background, processing payroll and managing HR workflows, doesn't always get the same level of attention.

ShinyHunters knew this. Their campaign automated the scanning and exploitation of PeopleSoft environments at industrial scale — not one target, but hundreds simultaneously. It's a pattern the security community calls "spray and pray" at enterprise scale. Find the vulnerability, write the exploit, run it everywhere, then sort out what's valuable.

What Was Actually Stolen

At Nissan: contact information, bank account details, Social Security and national ID numbers, financial and tax records, and dependent and beneficiary information for current and former employees in the US, Canada, Mexico, and Brazil.

At the University of Nottingham: names, home addresses, phone numbers, passport numbers, ethnicity, disability status, and financial records for approximately 455,000 current and former students across campuses in the UK, Malaysia, and China.

At organizations targeted through the broader ShinyHunters campaign: HR records from Kodak, Madison Square Garden data including sensitive talent files, and data from at least two dozen additional companies whose customers were previously notified of the Klue-Salesforce supply chain breach — the same group, running parallel tracks.

Think about what that data enables downstream: targeted phishing against employees using their own HR records. Tax fraud filed before victims realize anything happened. Payroll diversion attacks against employees who don't know their banking information was compromised. The damage doesn't stop at the initial breach.

The Patch Problem Every Business Has

Here's the uncomfortable reality behind this story: most organizations don't patch enterprise software on an emergency basis. They have change management processes, scheduled maintenance windows, and testing cycles designed to prevent outages. Those are reasonable practices — but they create a window of exposure every time a critical vulnerability drops.

When a CVSS 9.8 zero-day is already being actively exploited, the calculus changes. Oracle issued an out-of-band patch — an emergency fix outside of its normal quarterly cycle — on June 10. CISA added CVE-2026-35273 to its Known Exploited Vulnerabilities catalog two days later, meaning federal agencies were required to patch within days.

Private sector organizations have no equivalent mandate. Many are still running through their internal approval cycles.

The takeaway isn't that patching processes are wrong. It's that you need a tiered response capability: one process for routine patches, and a different, faster process for critical vulnerabilities in systems that hold your most sensitive data.

Three Actions Every Business Should Take Now

If your organization runs Oracle PeopleSoft — or any enterprise HR, payroll, or ERP system — here's what matters right now:

First: Verify your patch status. If you're running PeopleTools 8.61 or 8.62, confirm that Oracle's emergency patch has been applied. If you can't patch immediately, restrict external access to the Environment Management Hub (PSEMHUB) endpoints and implement compensating controls at the network perimeter. Don't wait for a scheduled maintenance window.

Second: Look for indicators of compromise. Because this vulnerability was exploited for two weeks before it was publicly known, patching alone doesn't mean you're clean. Check web server logs for external connections to /PSEMHUB/hub or /PSIGW/HttpListeningConnector. Search PeopleSoft directories for a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Review outbound network traffic for unusual SMB connections. If any of those exist, assume compromise and engage incident response immediately.

Third: Revisit how you monitor enterprise applications. Your ERP system should be part of your security monitoring program — not just your IT operations program. Application-layer activity, authentication anomalies, and unusual data extraction patterns should feed into your security operations just like endpoint alerts do.

The Broader Lesson

Nissan didn't fail to secure its perimeter. Nissan ran enterprise software that had a vulnerability nobody publicly knew about, and attackers found it first. That's not a failure of effort — it's a structural challenge that every organization using complex enterprise software faces.

The response isn't to panic. It's to have a clear-eyed view of what software you're running, what data it holds, how quickly you can respond when a critical vulnerability drops, and whether your monitoring would catch an attacker operating quietly inside your systems for two weeks.

Most organizations don't have satisfying answers to all four of those questions. That's the work.

TrustPoint Cyber helps organizations assess and improve their security posture across enterprise systems — from ERP platforms to identity infrastructure to incident response readiness. If you're not sure where your organization stands, that's exactly the conversation to start.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.