"An unauthorized third party gained access to a portion of our IT systems," the National Association of Insurance Commissioners (NAIC) said after discovering on June 11 that its Oracle PeopleSoft system had been breached.
How the attackers exploited CVE-2026-35273 in Oracle PeopleSoft
The intrusion follows a series of zero-day attacks tied to the ShinyHunters extortion group that exploited a PeopleSoft vulnerability identified as CVE-2026-35273. BleepingComputer reported the group's use of the zero-day before Oracle publicly disclosed the security issue. According to the threat actor, both cloud and on-premises PeopleSoft instances were targeted, and extortion demands left behind at breached sites bore ShinyHunters' signature. The group also says the zero-day spree affected more than 100 organizations.
ShinyHunters' published haul and a corrected inventory
On June 25 the threat actor published an updated inventory claiming to hold 3.1 TB of data that it said corresponded to 105,000 files taken from NAIC systems, naming INSData and Vision servers among the sources. The posted inventory enumerated multiple categories of material, including:
- 264,000 insurer regulatory filing PDFs dated between 2017 and 2024
- 2,000 customer/order/payment records
- 45,000 rating agency files
- AWS infrastructure configuration files
- Stored credentials for SERFF, OPTins, and UCAA production environments
The group acknowledged that an earlier summary of the stolen data had been exaggerated because it relied on "AI hallucinations" when evaluating files, and said the June 25 inventory had been validated by a human reviewer and "should be considered accurate."
NAIC's investigation: publicly available data, not PII or core platform compromise
The NAIC responded to the leak by saying the attackers accessed and, in some cases, stole files that were already publicly available, along with outdated logs and configuration information. The organization reported its investigation found no evidence of personally identifiable information (PII) or financial data being exposed. NAIC also directly disputed claims by the threat actor that critical insurance regulatory platforms such as SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems) had been compromised.
NAIC said all affected systems have been remediated and that it is implementing additional defenses to reduce the likelihood of future successful exploitation.
Operational consequences: rating feeds and paused investment work
The incident had immediate operational effects. Credit rating agencies temporarily suspended data feeds following the breach, and the NAIC paused investment designation work. Those disruptions underscore a gap between the scope claimed by the attackers and the organization’s published findings: while ShinyHunters released a broad inventory and asserted access to credentials and infrastructure, NAIC's published assessment framed the breach largely as exposure of public and outdated files rather than a compromise of core regulatory platforms or sensitive personal or financial records.
What this means for insurers, credit rating agencies, and security teams
- Insurers: Firms that submit statutory filings and regulators that host those records will want to review whether public-facing filings or repository mirrors require stricter controls or altered disclosure practices, given the attackers’ emphasis on regulatory filing PDFs.
- Credit rating agencies: The temporary suspension of data feeds highlights immediate operational risk; agencies will monitor data integrity and resumption procedures closely as NAIC completes remediation and hardening.
- Security teams: The episode reinforces detection and validation challenges. A statistic cited alongside reporting of the breach notes that security teams log 54% of successful attacks but alert on just 14%—a gap suppliers such as Picus argue can be narrowed with breach-and-attack simulation to test SIEM and EDR rules.
NAIC’s public statements close the immediate incident loop—systems remediated and additional defenses promised—but the discordant public claims from ShinyHunters, the group's corrected yet expansive inventory, and the temporary operational impacts leave concrete questions: which files were actually exfiltrated, whether any credentials now in the wild can be tied to active production systems, and how resumption of suspended data feeds will be validated. Those answers will determine whether the event remains a breach of largely public material or escalates into a wider operational and data-integrity crisis.
Original reporting: BleepingComputer — NAIC says public data stolen in ShinyHunters' PeopleSoft breach
