The National Association of Insurance Commissioners (NAIC) has confirmed that data stolen in a June ransomware attack via an Oracle PeopleSoft zero-day vulnerability has been published online by the ShinyHunters group, which claims to have taken 3.1 terabytes of data across more than 105,000 files. The NAIC says no personally identifiable information or payment data was accessed, though credit rating agencies have paused data feeds, temporarily suspending the assignment of insurer investment designations.
The National Association of Insurance Commissioners (NAIC) โ the standard-setting body that supports insurance regulators across all 50 US states โ has confirmed it was the victim of a significant cyberattack, with stolen data now published online by the threat actor responsible. The intrusion was identified on June 11, 2026, and publicly disclosed beginning June 17, with the NAIC providing a series of updates through late June.
The breach was carried out via a critical zero-day vulnerability in Oracle PeopleSoft (tracked as CVE-2026-35273), an unauthenticated remote code execution flaw carrying a maximum-severity CVSS score of 9.8 out of 10. The flaw was actively exploited for roughly two weeks before Oracle published any official advisory on June 10. The NAIC said the attack was part of a broad criminal campaign that struck more than 100 organizations worldwide. The ransomware group ShinyHunters claimed responsibility, alleging it stole 3.1 terabytes of data โ more than 105,000 files โ and posted the material on its leak site after the NAIC apparently did not meet a June 22 extortion deadline.
ShinyHunters claimed access to key NAIC regulatory technology including the System for Electronic Rate and Form Filing (SERFF), the Online Premium Tax for Insurance (OPTins), the Uniform Certificate of Authority Application (UCAA), the Enterprise Data Platform (EDP), and the Regulatory Data Collection (RDC). However, the NAIC said outside cybersecurity experts confirmed these regulatory reporting systems were not compromised. The organization stated that no personally identifiable information, payment data, employee personal data, electronic funds transfer information, risk-based capital data, policyholder information, or producer data was accessed. The NAIC said it does not believe the group holds the volume or scope of data it has publicly claimed.
One operational impact remains active: certain credit rating agencies paused their data feeds following the incident, leading the NAIC to temporarily suspend assigning designations to insurer investments โ a process used in determining the financial health and capital treatment of insurer portfolios. The FBI is coordinating on the investigation. The National Association of Mutual Insurance Companies (NAMIC) criticized the NAIC's communication timeline, noting the gap between the June 11 discovery and the first June 17 public post, and called for an assessment of concentration risk given the volume of sensitive industry data the NAIC holds.
Key Points
- 1NAIC confirmed a cyberattack via an Oracle PeopleSoft zero-day flaw (CVE-2026-35273, CVSS 9.8)
- 2ShinyHunters claims to have stolen 3.1 terabytes of data across 105,000+ files and published it online
- 3NAIC says no personally identifiable information, payment, or policyholder data was accessed
- 4Credit rating agencies paused data feeds, suspending NAIC insurer investment designations
- 5The FBI is coordinating the investigation; the attack hit 100+ organizations globally
Why This Matters
The NAIC sits at the center of the US insurance regulatory system, and its data and analysis influence everything from insurer financial-strength assessments to product pricing and oversight. A breach of its infrastructure has potential ripple effects across the entire insurance industry, which the US government classifies as critical infrastructure. For insurers, agents, and consumers, the incident is a stark reminder that even core regulatory bodies face escalating cyber risk โ and underscores why cyber insurance and operational resilience have become board-level priorities.
Related Stories
US Hiring Slows Sharply in June as Payrolls Rise Just 57,000
July 4, 2026
Soft Jobs Data Lift US Stocks and Rate-Cut Bets While the Dollar Slides
July 4, 2026
New York Issues Guidance Aimed at Lowering Auto Insurance Premiums
July 4, 2026
Colorado Regulators Say Individual Health Premiums Set to Jump About 28%
July 4, 2026
Daily Intelligence
The PolicyGlobal Daily Brief
Get the top 5 insurance and finance stories every morning, curated and verified by our editorial desk. No spam. Unsubscribe anytime.
Informational newsletter only. Not financial advice. Disclaimer