The US National Association of Insurance Commissioners (NAIC) confirmed on June 25 that data stolen in a cyberattack on its Oracle PeopleSoft system has been published online by the hacking group ShinyHunters. The breach, discovered on June 11, exploited a zero-day vulnerability and is part of a broader campaign affecting more than 100 organizations. The NAIC says no personally identifiable information or payment data was accessed, though credit rating agencies have paused data feeds.
The National Association of Insurance Commissioners (NAIC) โ the standards-setting body that supports insurance regulators across all 50 US states โ has confirmed that data taken in a cyberattack on its systems has been published online. The NAIC discovered unauthorized access to its Oracle PeopleSoft system on or about June 11, 2026, and issued its first public notice on June 17, with a significant update on June 25 confirming the data leak.
The attack exploited a critical zero-day vulnerability in Oracle PeopleSoft (tracked as CVE-2026-35273), an unauthenticated remote code execution flaw carrying a maximum-severity CVSS score of 9.8 out of 10. Oracle did not publish an advisory until June 10, meaning the flaw was actively exploited for at least 14 days before any official patch existed. The NAIC said the intrusion was part of a broad criminal campaign that struck more than 100 organizations worldwide, attributed to the threat actor group ShinyHunters, which has a record of large-scale data theft and extortion. The group claimed to have obtained 3.1 terabytes of data spanning more than 105,000 files and issued an extortion deadline of June 22.
The NAIC's internal investigation, supported by outside cybersecurity experts and coordinated with the FBI, concluded that the hackers did not gain the scope of access they claimed. Crucially, the NAIC stated that no personally identifiable information, payment data, credit card or banking information, policyholder data, producer data, or risk-based capital data was accessed. The regulator's core regulatory reporting systems โ including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), and the Uniform Certificate Authority Application (UCAA) โ were confirmed not to have been compromised. The data that was accessed consisted largely of publicly available statutory financial reporting information and credit rating agency determinations.
The incident has nonetheless caused operational disruption: certain credit rating agencies paused their data feeds to the NAIC, prompting the organization to temporarily suspend its assignment of designations to insurer investments โ a process that could take months to fully restore. Industry bodies including the National Association of Mutual Insurance Companies (NAMIC) criticized the NAIC's communication timeline, noting the gap between the June 11 discovery and the first public post. The breach underscores the systemic cyber risk facing regulatory bodies, which Microsoft data shows receive more than 600 million identity attacks per day globally.
Key Points
- 1NAIC confirmed on June 25 that stolen data was published online by hacking group ShinyHunters
- 2The breach exploited a zero-day PeopleSoft vulnerability (CVE-2026-35273) with a 9.8/10 severity score
- 3NAIC says no personally identifiable information, payment, or policyholder data was accessed
- 4Credit rating agencies paused data feeds, suspending NAIC investment designation services
- 5The attack was part of a broader campaign affecting over 100 organizations worldwide
Why This Matters
The NAIC is the central nervous system of US state-based insurance regulation, handling vast volumes of financial and regulatory data from thousands of insurers. A breach of this body โ even one where personal data was reportedly not taken โ raises serious concerns about the concentration of sensitive financial data in regulatory systems. For insurers, the temporary suspension of NAIC investment designations creates operational uncertainty. The incident is a stark reminder that regulators themselves are prime cyberattack targets, and that even zero-day vulnerabilities in widely used enterprise software can cascade across an entire industry.
Related Stories
US Employers Brace for Steepest Health Benefit Cost Increase Since 2010
June 26, 2026
Lemonade Expands Tesla Full Self-Driving Insurance to Colorado With 50% Discount on Autonomous Miles
June 22, 2026
Progressive Overtakes State Farm as Largest US Private Passenger Auto Liability Insurer
June 18, 2026
US Mortgage Rates Hold Above 6.5% as Iran Conflict Keeps Inflation Pressure Elevated
June 26, 2026
Daily Intelligence
The PolicyGlobal Daily Brief
Get the top 5 insurance and finance stories every morning, curated and verified by our editorial desk. No spam. Unsubscribe anytime.
Informational newsletter only. Not financial advice. Disclaimer