Two more organizations have confirmed data breaches stemming from the recently disclosed Oracle PeopleSoft vulnerability. Nissan reported that employee data was exposed across multiple manufacturing plants in the United States, Canada, Mexico, and Brazil. Separately, the National Association of Insurance Commissioners (NAIC), the US body that oversees insurance regulation, confirmed a broad data leak resulting from exploitation of the same PeopleSoft flaw.
The breaches follow a claim made roughly a week earlier by the extortion group ShinyHunters, which listed NAIC as a victim and claimed to have exfiltrated 3.1TB of data. In an update posted the following day, the group walked back part of that claim, stating that the original post had been generated with AI assistance and was inaccurate regarding the specific types of data actually stolen.
This pattern — a single unpatched enterprise application producing a rolling series of victim disclosures over days or weeks — is typical of mass exploitation against widely deployed on-prem software. Attackers scan broadly for vulnerable instances, exfiltrate data opportunistically, and disclosures trickle out as each affected organization completes its own investigation.
If your organization runs Oracle PeopleSoft, confirm the relevant patch has been applied and don’t stop there: review access and export logs from the disclosure window for signs of exploitation that predate your patching. Also treat extortion group claims with some skepticism — as this incident shows, even the attackers’ own reporting on stolen data volume and scope can be wrong.