The National Association of Insurance Commissioners (NAIC) confirmed on June 25 that data taken from its IT systems has been published online by the ShinyHunters extortion group, which exploited a zero-day vulnerability in Oracle PeopleSoft. The NAIC says no personally identifiable information or payment data was accessed, while the group claims to have stolen 3.1 terabytes of regulatory filings and credit rating agency files.
The National Association of Insurance Commissioners (NAIC), the standard-setting body that supports all fifty US state insurance departments, is at the center of one of the most significant cybersecurity incidents to hit the US insurance regulatory infrastructure. In a series of updates culminating on June 25-26, 2026, the NAIC confirmed that data taken from its systems earlier in the month has been published online by the threat actors responsible.
The breach originated from a zero-day vulnerability in Oracle PeopleSoft software (tracked as CVE-2026-35273), which Oracle patched in an emergency security alert on June 10. The flaw was part of a broad mass-hacking campaign that reportedly affected more than 100 organizations. The NAIC identified the unauthorized access on or about June 11, contained the incident, engaged outside cybersecurity experts, and began coordinating with the FBI. PeopleSoft was used by the NAIC primarily for internal financial reporting.
The ShinyHunters extortion group claimed responsibility, alleging it stole 3.1 terabytes of data comprising more than 105,000 files โ a claim that includes large volumes of insurer regulatory filing PDFs and tens of thousands of files from major credit rating agencies such as Moody's, Fitch, S&P, Kroll, DBRS, and AM Best, containing financial identifiers like CUSIP and ISIN numbers. However, the NAIC, working with an external data consultant, stated that based on its review, the published data appears to consist of statutory financial reporting information that was already publicly available through state websites and resellers, along with credit rating agency rating determinations โ and crucially, no rating agency investment rationale reports. The NAIC emphasized that no personally identifiable information, payment data, employee data, policyholder information, or producer data was accessed.
The incident has drawn criticism from industry trade groups over the NAIC's communications. The National Association of Mutual Insurance Companies (NAMIC) wrote that it was 'troubled' by the lack of a directed alert, noting the NAIC posted its first public notice nearly a week after detecting the event. The American Property Casualty Insurance Association (APCIA) called for clearer direction so it could advise member companies. The NAIC says its regulatory filing systems are operating normally and remain secure, and that comparing the full scope of leaked data with its own analysis could take several weeks.
Key Points
- 1NAIC confirmed on June 25 that data from its systems was published online by the ShinyHunters group
- 2The breach exploited a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273), patched June 10
- 3NAIC says published data appears to be already-public statutory filings and credit rating determinations
- 4No PII, payment, employee, policyholder, or producer data was accessed, per NAIC's investigation
- 5Trade groups NAMIC and APCIA criticized the NAIC's delayed and unclear communication about the incident
Why This Matters
The NAIC sits at the heart of the US state-based insurance regulatory system, and a breach of its systems raises serious questions about the security of sensitive financial data across the entire insurance industry. Even if the leaked data was largely public, the incident underscores how supply-chain and software vulnerabilities can expose critical financial infrastructure. For insurers, rating agencies, and regulators, the event is a stark reminder of accumulation risk in cyber โ a single software flaw can simultaneously compromise hundreds of organizations.
Related Stories
Five Million Americans Drop ACA Health Coverage in 2026 as Subsidies Expire and Premiums Double
June 26, 2026
North Carolina Becomes First US State to Ban Third-Party Litigation Funding
June 22, 2026
Wall Street Tech Sell-Off Deepens as Nasdaq Posts Fifth Straight Losing Session
June 26, 2026
Triple-I and Munich Re RiskScan 2026 Flags $424 Billion Global Protection Gap and Interconnected Risks
June 9, 2026
Daily Intelligence
The PolicyGlobal Daily Brief
Get the top 5 insurance and finance stories every morning, curated and verified by our editorial desk. No spam. Unsubscribe anytime.
Informational newsletter only. Not financial advice. Disclaimer