Last week’s breach ledger had a theme of scale. This week’s has a theme of architecture: a single zero-day vulnerability in Oracle’s widely deployed enterprise software, exploited by the ShinyHunters extortion group, is now producing victim disclosures the way a burst pipe produces water damage — room by room, days apart, all from the same hole. If your Social Security number sits in a PeopleSoft HR module somewhere (and if you have had a corporate employer, it very likely does), this one is about you.

The regulator that got regulated: NAIC’s 3.1 terabytes

The most consequential victim is one most people have never heard of. The National Association of Insurance Commissioners — the standard-setting body for every state insurance regulator in America — confirmed that ShinyHunters exploited an Oracle PeopleSoft zero-day to steal roughly 105,000 files totaling 3.1 terabytes: regulatory documents spanning 2017 to 2024, customer records, payment data, and, most alarmingly, production credentials.

Sit with that last item. Stolen documents are a bounded loss; stolen production credentials are a skeleton key whose locks you have to find before the thief does. And an organization that aggregates regulatory filings from an entire industry is precisely the kind of quiet, unsexy, data-rich institution that extortion crews have learned to prize. Regulators demand mountains of sensitive data from the companies they oversee. The obligation to protect that mountain apparently remains harder to enforce on oneself.

Nissan and Kubota: the HR module is the crown jewels

The same Oracle exploitation wave reached Nissan, which disclosed a breach of current and former employee data across the US, Canada, Mexico, and Brazil: contact information, banking details, Social Security numbers, tax data, and information about dependents. Note that last word — dependents. People who never worked for Nissan, some of them children, are in this breach because a parent’s HR file is a household dossier.

Kubota North America disclosed its own employee breach in the same vein — attackers sat inside for roughly a month across March and April, taking names, SSNs, government IDs, direct-deposit banking details, and benefits data.

There is a lesson in the target selection. For years, “data breach” meant customer databases. The extortion economy has figured out that the employee database is richer: identity documents, bank routing numbers, tax forms, beneficiaries — everything needed for wholesale identity theft, concentrated in enterprise HR platforms that were installed a decade ago and hardened never. One zero-day in that software class is a master key to hundreds of workforces at once. That is exactly what we are watching play out.

Medtronic: 9 million patients and a quiet ransom

The gravest entry belongs to healthcare, as it usually does. Medtronic, one of the world’s largest medical device makers, suffered a ShinyHunters breach — detected back in April — of over 9 million records: names, contact details, dates of birth, Social Security numbers, and health information.

Then the records disappeared from ShinyHunters’ leak site — the signature of a paid ransom. Understand what that purchase actually buys: a criminal organization’s promise. The data is not “back”; it is merely unadvertised, held by people whose business model is monetizing it and whose word is the only warranty. Nine million patients now depend on the discretion of the group that robbed them. Meanwhile the incentive loop closes: every quiet payment finances the next zero-day. We said it after Talkspace and after June’s medical breaches, and it stays true — health data is the most permanent data you have, and it keeps living in the least defended places.

Japan’s plaintext problem: 14.2 million email logins

Away from the Oracle wave, Japan delivered the week’s largest raw number. A breach of an email platform used by KDDI and five other Japanese ISPs exposed up to 14.22 million customer email logins. The detail that should end careers: only some of the passwords were hashed, with the rest apparently sitting in plaintext, storage decisions the companies have yet to coherently explain. Password hashing has been baseline practice since before some of those ISPs’ customers were born. An email password in plaintext is not one account lost — it is a password-reset skeleton key to every service attached to that inbox, plus fuel for the credential-stuffing economy that already runs on dumps like the 24-billion-record compilation that surfaced last month.

Rounding out the ledger: Japanese motor manufacturer Nidec is facing a $2 million ransomware demand, and an Aflac Japan subsidiary disclosed stolen policy details, personal information, and bank account data.

The moral: your security is your vendor’s patch cadence

Strip away the names and this week is one story told five ways. The NAIC, Nissan, Kubota, and Medtronic did not each make a novel mistake; they made the same non-decision — running a common enterprise platform — and a single vulnerability in it breached them all. This is what “supply chain risk” means when it stops being a conference slide: your data’s safety is determined by software you have never heard of, patched on a schedule you will never see, at companies you did not choose.

Which is why the frameworks matter. Breach-notification laws produced these disclosures; the state laws that came online this week produce the duties; and the sensitive-data rules now spreading state by state are the only reason “SSN plus health data” costs more than an apology. Assume your identifiers are already circulating — freeze your credit, use unique passwords, treat your inbox as critical infrastructure. The pipe that burst this week was patched. The next one is already installed.