NAIC Confirms Data Breach via Oracle PeopleSoft Zero-Day, Disputes Extent of Compromise
The **National Association of Insurance Commissioners (NAIC)** has confirmed a data breach orchestrated by the **ShinyHunters** extortion group, exploiting a zero-day vulnerability in an **Oracle PeopleSoft** server. While **ShinyHunters** claims to have exfiltrated terabytes of sensitive data, the **NAIC** maintains that only publicly available information, outdated logs, and configuration files were stolen, with no evidence of Personally Identifiable Information (PII) or financial data compromise.

The **National Association of Insurance Commissioners (NAIC)**, a critical U.S. insurance regulatory organization operating in all 50 states, has recently disclosed a significant cybersecurity incident. On June 11, the **NAIC** identified unauthorized access to its **PeopleSoft** system, attributing the breach to the notorious **ShinyHunters** extortion group.
### Exploiting a Zero-Day Vulnerability
The breach was executed by exploiting a zero-day vulnerability in an **Oracle PeopleSoft** server. Following the **NAIC's** refusal to pay a ransom, **ShinyHunters** proceeded to leak what they claimed was the stolen data.
### NAIC's Assessment of the Compromise
In response to the leak, the **NAIC** issued a security update, stating that the attackers accessed and, in some cases, exfiltrated already publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration information. Crucially, the organization's investigation found no evidence of Personally Identifiable Information (PII) or financial data being exposed.
The **NAIC** also directly disputed **ShinyHunters'** earlier claims of compromising critical insurance regulatory platforms such as **SERFF** (System for Electronic Rate and Form Filing), **OPTins** (Online Premium Tax for Insurance), and **SBS** (State-Based Systems).
### Operational Impact and Discrepancies
Despite the **NAIC's** assurances, the incident did have operational consequences, including temporary suspensions of data feeds from credit rating agencies and a pause in the **NAIC's** investment designation work. However, significant discrepancies persist between the hackers' claims and the organization's findings.
### ShinyHunters' Updated Claims
In an announcement updated on June 25, **ShinyHunters** asserted possession of 3.1 TB of data, comprising 105,000 files stolen from **NAIC** systems. Their inventory allegedly includes:
* **INSData** and **Vision** servers
* 264,000 insurer regulatory filing PDFs from 2017 to 2024
* 2,000 customer/order/payment records
* 45,000 rating agency files
* **AWS** infrastructure configurations
* Stored credentials for **SERFF**, **OPTins**, and **UCAA** production environments
Notably, **ShinyHunters** admitted that an earlier summary of the stolen data was exaggerated due to the use of AI hallucinations during file evaluation. They now claim the latest published inventory has been human-validated and should be considered accurate.

### Remediation and Broader Impact
The **NAIC** has stated that all affected systems have been remediated, and additional defenses are being implemented to prevent future attacks.
This incident is part of a broader hacking spree by **ShinyHunters** leveraging the zero-day vulnerability (**CVE-2026-35273**) in the **PeopleSoft** enterprise system, which has reportedly impacted over 100 organizations. Prior to public disclosure by **Oracle**, reports emerged of **Oracle PeopleSoft** servers, both cloud and on-premises instances, being targeted in similar data theft and extortion attacks signed by **ShinyHunters**. Most of the targeted organizations were reportedly in the education sector and had been previously extorted by the threat actor.