The National Association of Insurance Commissioners (NAIC) has confirmed it suffered a cyberattack after attackers exploited a zero-day vulnerability affecting Oracle PeopleSoft, with the incident disrupting key insurance regulatory services and following earlier extortion claims by the ShinyHunters ransomware group.
NAIC said it detected unauthorized access to part of its environment on June 11 after attackers exploited the vulnerability to access its PeopleSoft environment before moving into certain internal data storage locations. The organization said it immediately contained the intrusion, notified law enforcement, and engaged third-party cybersecurity specialists to investigate.
The confirmation follows BreachNews’ June 19 reporting, when ShinyHunters added NAIC to its leak site and claimed to have stolen approximately 3.1 TB of data. At the time, the allegations could not be independently verified.
Operations impacted following intrusion
While NAIC said most of its services have now returned to normal, the incident continues to affect several operational systems.
The organization confirmed that insurer investment designation processing remains suspended after multiple credit rating agencies temporarily halted the transfer of information used in the designation process. Online invoice payments through PeopleSoft also remain unavailable while remediation work continues.
NAIC emphasized that the attack did not compromise state insurance department systems and said independent investigators determined that several major regulatory platforms, including insurer filing, licensing, and reporting systems, were not affected.
Investigation details emerge
According to NAIC, attackers exploited an Oracle PeopleSoft zero-day vulnerability that has been linked to a wider campaign targeting organizations running the enterprise software platform. The organization said the access path has since been blocked.
Its investigation found that the attackers obtained publicly available statutory financial reporting information, insurer investment credit rating data, and certain technical information including outdated logs and configuration files.
NAIC stated it has found no evidence that personal information, banking information, or payment card data was accessed during the incident.
Although NAIC did not identify the attackers, the timeline closely aligns with claims made by ShinyHunters, which listed the organization on its extortion site shortly after the incident became public. The group alleged it had stolen more than 3.1 TB of data, including insurer regulatory filings, financial statements, customer records, cloud infrastructure logs, SQL scripts, and internal documentation. BreachNews has not independently verified the authenticity or scope of those claims.
Part of a broader Oracle campaign
The incident forms part of a broader campaign targeting Oracle PeopleSoft deployments. As previously reported by BreachNews, attackers began exploiting the zero-day before Oracle released emergency security updates, with security researchers linking the activity to compromises affecting more than 100 organizations worldwide.
The NAIC incident represents one of the highest-profile confirmed victims tied to the campaign and highlights how vulnerabilities in widely deployed enterprise software can disrupt critical services supporting regulated industries. Although the organization said core regulatory systems remain operational, the ongoing suspension of insurer investment designation processing demonstrates the operational impact such attacks can have beyond the initial network compromise.
