A cybercriminal group has published 3.1 terabytes of data it claims was stolen from the United States' national insurance regulatory body - one of the most significant cyber incidents to hit the global insurance industry this year, and one with direct implications for international carriers, reinsurers and brokers with US exposure.
The group, known as ShinyHunters, posted the data to its dark web leak site on Thursday after the National Association of Insurance Commissioners (NAIC) - the body that co-ordinates insurance regulation across all 50 US states and holds data from thousands of licensed insurers - confirmed that stolen data had been "published online by the group responsible." Attribution has been confirmed by Google's Mandiant cybersecurity unit.
The attack originated in late May, when ShinyHunters began exploiting a critical flaw in Oracle's PeopleSoft business management software. The vulnerability, rated 9.8 out of 10 for severity, required only a network connection to exploit and allowed attackers to obtain credentials before moving through internal data storage systems. Oracle released no advisory until 10 June - a 14-day window during which the same flaw was used to compromise more than 100 organisations worldwide. The NAIC identified the breach on 11 June and brought in the FBI and outside cybersecurity specialists.
ShinyHunters issued a warning: make contact by 22 June or the data would be published. The NAIC did not respond. The publication of the data on Thursday confirms it did not pay the extortion demand.
ShinyHunters revised its account of the dataset on Thursday, acknowledging an earlier description was an "overstatement" caused by "an analytical error and an AI-generated misinterpretation of the underlying data." Its amended claim describes the trove as containing more than 264,000 insurer regulatory filing documents spanning property, casualty, health and life companies between 2017 and 2024; approximately 45,000 files from credit rating agencies including Moody's, Fitch, S&P and AM Best containing financial identifiers used in global debt markets; statutory annual and quarterly financial statements submitted by insurers; around 2,000 customer records with names, email addresses and payment identifiers; production cloud infrastructure logs and configuration files; and database scripts containing stored credentials tied to live production systems.
The NAIC disputes the full extent of this. Its investigators found no evidence that core operational systems were accessed, and it confirmed that no personally identifiable information, payment data or policyholder information was taken. What it acknowledged as stolen includes statutory financial reports, insurer credit rating data, and what it described as "outdated logs and configuration files."
The NAIC's position makes this breach different from a standard corporate hack. As the central co-ordinating body for US insurance regulation, it holds regulatory filings, financial statements and rating data across the entire US market. A breach of its systems reaches across the industry rather than stopping at one company's perimeter.
For international carriers and reinsurers, two elements of the alleged dataset carry relevance beyond US borders. The rating agency files reportedly contain CUSIP and ISIN identifiers - the standard reference numbers used in global bond and debt markets. Rating data tied to those identifiers, combined with insurer financial statements, could be used in market manipulation or targeted financial fraud by any actor with the sophistication to exploit it, regardless of jurisdiction.
The infrastructure files are the second concern. Security researchers have noted that cloud configuration data and stored credentials - even if the systems they describe have since been patched - give a capable attacker a map of how the NAIC's environment is connected and how data flows through it. Infrastructure files and production backups can provide a detailed roadmap of an organisation's internal architecture, enabling follow-on operations months after the original breach.
There is one immediate operational consequence. Credit rating agencies suspended their data feeds to the NAIC after the breach was confirmed, and the NAIC has temporarily halted assigning investment designations to insurer portfolios. That suspension affects how US insurers must classify and capitalise their investment holdings under state regulatory requirements - a practical disruption to routine compliance processes across the market.
The NAIC attack is part of a concentrated ShinyHunters campaign running through June, which has also struck Amazon One Medical, the Council of Europe, Kodak and dental insurer DentaQuest using the same Oracle PeopleSoft flaw.
The approach these groups now favour is worth understanding. Data-theft-only attacks - where criminals steal and publish without deploying encryption - rose from 49% of extortion cases in the first half of 2025 to 65% in the second half. There is no ransomware to decrypt, no operational disruption to reverse, and no technical recovery that removes the problem. Once data is published on a dark web leak site it is permanently in circulation. The leverage is not access - it is exposure, and paying removes neither.
The FBI's 2026 Internet Crime Report recorded US cyber losses of nearly $21 billion in 2025, with regulatory bodies and governing organisations ranked among the top three most targeted sectors globally. The logic is straightforward: a single breach of a regulatory body reaches across every company that files with it. The NAIC connects to thousands of insurers and all 50 US state departments. For a group running a commercial extortion operation, it is a more efficient target than any single carrier.
The FBI investigation continues. The rating agency data feeds have not yet been restored. For anyone doing business in the US insurance market, your data may be on the dark web already.
