PeopleSoft zero-day affecting hundreds of organisations leaks gigabytes of data

A zero-day vulnerability discovered in Oracle's PeopleSoft ERP platform has turned into an active campaign exfiltrating gigabytes of data from hundreds of organisations. The case Ars Technica reports on is a concrete example of supply-chain risk in enterprise software security.

PeopleSoft is a legacy but widely-used ERP (enterprise resource planning) platform deployed by large companies, government departments, universities and healthcare institutions globally. Human resources, finance, procurement and student-record functions all run on PeopleSoft modules. Oracle acquired the company in 2005, but many installations run under "sustained support" arrangements.

The technical category of the vulnerability has not been fully disclosed; Ars Technica reports the attack as an unauthenticated remote code execution or a comparably serious category. Without obvious unusual outbound traffic, organisations are nonetheless seeing large data exfiltration after the vulnerability is triggered.

The profile of stolen data matters. ERP platforms hold highly sensitive categories: employee identifiers (national ID, social security numbers, bank account numbers), salary and performance records, vendor and supplier contracts, patient or student record data. These categories are high-value for both individual identity theft and corporate espionage.

Attribution has not yet been made, but sources Ars Technica cites describe the attacking group as organised and technically advanced. Targeted sectors include US state universities, federal government departments, healthcare systems and large enterprise customers.

There are urgent incident-response parameters for organisations. Oracle has issued a patch for the vulnerability; first step for system administrators is rapid deployment. Second step is log analysis against indicators of compromise (IOCs): unusual queries, unexpected table additions, anomalous data-export operations should be checked. Third step is assessment of affected user or vendor data.

There are regulatory consequences. In the US, the SEC's cybersecurity disclosure rule that came into force in 2023 compels public companies to disclose "material" cyber incidents within four business days. EU GDPR and NIS2 directives carry similar notification obligations. In Turkey, KVKK and BTK cyber-incident reporting rules require notification to KVKK within 72 hours of a breach.

The incident also raises a long-running issue in ERP security: insufficient testing of legacy enterprise software. "Shift-left security" is now common in modern applications, but architectures designed in the 1990s like PeopleSoft are late to integrate into that modern test regime. ENISA's 2024 report shows that the vulnerability density of legacy ERP systems used in the EU is markedly higher than that of modern cloud-native ERPs.

Business impact side: gigabyte-scale data leaks translate into very large GDPR fines. Large data breach incidents in Europe in 2024 averaged around 4.5 million euro in penalties. In the US, class actions generate substantial liabilities based on the categories of data leaked.

Context for Turkey: the 2024 ransomware attempt against the Health Ministry's MEDULA system showed that mission-critical software infrastructure is being targeted at national scale too. Major Turkish universities and public bodies use PeopleSoft or derivative ERP installations; rapid deployment of Oracle's update is critical. USOM routinely circulates such vulnerabilities to enterprise IT, but implementation discipline matters.

Near-term takeaway: any organisation running PeopleSoft should track Oracle's urgent security advisories and not delay patching. Ars Technica's report is a reminder that ERP security audit is a core enterprise IT task. This article is not a security audit or investment recommendation.