NAIC Insurance Regulators Hit in Oracle PeopleSoft Hack

Summary: The NAIC disclosed a cyberattack linked to a zero-day flaw in Oracle’s PeopleSoft, with ShinyHunters allegedly targeting sensitive data.

Overview of the Breach

The National Association of Insurance Commissioners (NAIC) disclosed that it was a victim of a recent cyberattack exploiting a critical vulnerability in Oracle’s PeopleSoft platform. The breach, linked to a zero-day flaw tracked as CVE-2026-35273, was first identified on June 11 when Oracle released an emergency advisory detailing the flaw, which enables unauthenticated remote code execution.

Initial Reports and Vulnerability Details

While Oracle’s initial statement did not confirm active exploitation, external reports from entities like Google indicated that malicious actors were leveraging the vulnerability. The ShinyHunters cybercriminal group has been attributed to the campaign, with claims of targeting multiple organizations to exfiltrate sensitive data.

Impact and Data Access

The NAIC, a U.S. regulatory body overseeing state insurance policies and model laws, reported unauthorized system access on June 11 through the PeopleSoft vulnerability. An internal investigation revealed that attackers accessed non-sensitive data, including statutory financial reporting materials, credit rating agency information, and outdated system logs.

Data Compromised and Denials

The organization emphasized that no personally identifiable information, payment details, or financial account data was exposed. Additionally, state insurance departments and core regulatory reporting systems remained unaffected, contradicting initial assertions by the attackers.

ShinyHunters’ Claims and Revisions

ShinyHunters publicly listed the NAIC on its data leak platform on June 18, asserting the theft of over 105,000 files totaling 3.1 terabytes, including 2.1 million insurer regulatory filings. Subsequent updates from the group revised these claims, stating that the initial report was based on an AI-generated misinterpretation of data.

Revised Claims and Scope

The revised statement reduced the alleged stolen files to 260,000 regulatory documents and removed references to data categories explicitly denied by the NAIC. The ShinyHunters campaign reportedly targeted more than 100 organizations, though the NAIC is the first confirmed victim to acknowledge data compromise.

Broader Implications and Targets

The University of Nottingham is also believed to have been affected by the same operation, though its public disclosure did not specify the PeopleSoft vulnerability as the attack vector. The incident underscores the growing threat of zero-day exploits in enterprise environments, with attackers leveraging unpatched software flaws to access critical infrastructure.

Industry Response and Lessons Learned

The NAIC’s disclosure highlights the importance of timely vulnerability management and transparency in incident response. Security experts have noted that such breaches often involve sophisticated techniques to obscure the true extent of data exposure, requiring rigorous forensic analysis to validate claims.

Conclusion and Recommendations

The attack aligns with broader trends of cybercriminal groups exploiting software supply chain weaknesses to target regulatory and educational institutions. As organizations continue to grapple with evolving threat landscapes, the incident serves as a reminder of the need for proactive security measures and collaboration between vendors, regulators, and cybersecurity professionals to mitigate risks.

About Author

Anuj

See author's posts