"FBI coordination is underway," the National Association of Insurance Commissioners (NAIC) noted in its June 26 update, as the association disclosed a breach that exposed U.S. citizens' credit rating data and forced temporary operational changes.
Zero-day in Oracle PeopleSoft: how the intrusion began
The NAIC says the intrusion was accomplished through exploitation of a zero-day vulnerability in Oracle PeopleSoft—software the association uses for internal financial reporting purposes. The incident was detected on June 11 and first disclosed to the public on June 17; the NAIC's most recent status update was posted on June 26.
According to the NAIC, the compromise was part of "a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, which affected multiple organizations." Once inside the PeopleSoft environment, the attacker "obtained information needed to gain temporary access to certain data storage areas" and published some of the data accessed.
Data the NAIC says was accessed or published
The NAIC's preliminary findings identify three categories of data the attacker accessed or published:
- Statutory financial reporting information that was already publicly available through state websites like InsData or through resellers;
- Credit rating agency data, including rating determinations of insurer investments;
- And "potentially" additional storage data, described by the NAIC as routine technical information such as outdated logs or configuration information.
Data the NAIC says was NOT compromised
The association notified users about a set of critical data elements it says were not taken in the breach. The NAIC lists these explicitly:
- Personal information of U.S. insurance system users and employees;
- Payment and financial account information, including credit card or banking information;
- Rating agency investment rationale reports;
- Information on any U.S. state insurance departments' systems;
- Information linked to the National Insurance Producer Registry (NIPR) or the Teammate software provider;
- Some insurance processes data, including electronic funds transfer, risk-based capital data, policyholder information, producer data and event registration payment information.
Separately, the NAIC denied the attacker's claims that they gained access to technology provided by the NAIC—specifically naming SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), UCAA (Uniform Certificate Authority Application), EDP (Enterprise Data Platform) and RDC (Regulatory Data Collection). The association said outside cybersecurity experts "confirmed the unauthorized party did not take this information, nor compromised these regulatory reporting systems."
Operational impact: NAIC and the credit rating process
The NAIC reports it "promptly" contained the breach after detection and blocked the attacker’s access. It engaged outside counsel and cybersecurity experts and has taken additional steps to strengthen defenses, the association said. Most NAIC operations have returned to normal; the lone exception reported is that online invoice payment via PeopleSoft remains unavailable.
Because some credit rating agencies paused their data feeds following the incident, the NAIC temporarily suspended assigning designations to insurer investments. "Insurers should monitor [Automated Valuation Service Plus] AVS+ for any updates," the NAIC advised, and said it is meeting with credit rating providers and has provided third‑party assurances that its systems are secure and that the NAIC designation process can resume.
How technologists, insurers, and the public are responding
Technologists and security teams: The NAIC engaged outside cybersecurity experts and outside counsel and says it has strengthened its defenses; outside experts also assessed that certain regulatory reporting systems were not compromised. The association has taken the immediate containment steps the update lists and is coordinating with the FBI.
Insurers and credit rating providers: Several credit rating agencies paused data feeds, prompting the NAIC to suspend designations for insurer investments until assurances are in place; the NAIC is meeting with credit rating providers and instructing insurers to monitor AVS+ for updates.
The public and insurance system users: The NAIC has notified users that, according to its findings, personal information of U.S. insurance system users and employees and payment and financial account information were not compromised. At the same time, published credit rating data and some publicly available statutory filings were among the items the NAIC says were exposed.
The NAIC's statements leave a short checklist of next steps: follow-up with credit rating providers, restore PeopleSoft invoice payments, and continue FBI coordination while outside experts confirm the scope of stored data the attacker accessed. The association's June 26 update frames the incident as part of a broader campaign against PeopleSoft installations and as a case in which rapid containment, third‑party review, and cross‑industry coordination are central to recovery.
