The extortion deadline passed, and on Thursday, ShinyHunters made good on its threat.
The notorious cybercriminal group posted 3.1 terabytes of data it claims was stolen from the National Association of Insurance Commissioners on its dark web leak site, hours after the NAIC confirmed for the first time that data taken in a June breach had been "published online by the group responsible." The NAIC did not name ShinyHunters directly, but the attribution has been confirmed by Google's Mandiant unit.
The publication follows a warning ShinyHunters had issued earlier in the month: contact them by June 22 or the data goes up. The NAIC did not pay. The breach was first confirmed by NAIC on June 17, after it identified unauthorised access to its Oracle PeopleSoft systems on June 11, when the FBI and outside cybersecurity experts were brought in.
ShinyHunters revised its claims about the dataset on Thursday, saying its earlier account of the contents was an "overstatement" caused by "an analytical error and an AI-generated misinterpretation of the underlying data." Its amended version describes the 3.1TB trove as containing more than 264,000 insurer regulatory filing PDFs spanning property, casualty, health and life insurance companies between 2017 and 2024; approximately 45,000 files from credit rating agencies including Moody's, Fitch, S&P, Kroll, DBRS, AM Best, Egan-Jones and HR Ratings; statutory annual and quarterly financial statements submitted by insurers; around 2,000 customer and bulk order records with names, email addresses and payment transaction identifiers; production AWS infrastructure logs and cloud configuration files; and SQL scripts with stored credentials tied to production environments.
The NAIC disputes portions of this. It said investigators found no evidence that core systems were compromised and that SERFF, OPTins, UCAA, the Electronic Data Platform and the Regulatory Data Catalog were not accessed. It confirmed that what was taken was statutory financial reports, insurer investment credit rating data, and what it described as "outdated logs and configuration files." It said no personally identifiable information, payment data, producer data or policyholder information was taken.
The NAIC's framing of the configuration files as "outdated" may be accurate - but it does not address the security concern they raise. Infrastructure files, cloud configuration data and production backups can give an adversary a detailed map of how an organisation's systems are connected and how data moves between them. The leaked directory listings reportedly include cloud templates, configuration buckets, application settings and automation platform data. A group that already has a functioning Oracle PeopleSoft exploit and a dataset of credentials and infrastructure configurations is better positioned for a follow-on attack than one that simply stole filing documents.
Data-theft-only attacks - where groups steal and publish without deploying ransomware - rose from 49% of extortion claims in H1 2025 to 65% in H2 2025. ShinyHunters deployed no encryption here. The model is acquire, threaten, publish - and use whatever infrastructure intelligence the data contains for the next operation.
One operational consequence is already running. Credit rating agencies paused their data feeds to the NAIC after the breach, and the NAIC has temporarily suspended assigning investment designations to insurer portfolios. That directly affects how insurers classify and capitalise their investment holdings under state regulatory frameworks. Most other NAIC operations have returned to normal, with the exception of the credit rating provider data feeds, which the NAIC says it is awaiting assurances on before restoring.
NAIC is one entry in a lengthening list. ShinyHunters has posted Amazon One Medical, the Council of Europe, Kodak and DentaQuest on its leak site during the same June campaign, all products of the same Oracle PeopleSoft zero-day that ran for 14 days before Oracle released a patch on June 10.
The FBI's 2026 Internet Crime Report found US cyber losses hit nearly $21 billion in 2025, with governing bodies and regulatory organisations among the top three most targeted sectors globally. Microsoft Entra data puts identity attacks against those entities at more than 600 million per day. What makes the NAIC a particularly consequential target is its position at the centre of US insurance regulation - holding data from thousands of insurers and connected to all 50 state regulatory departments. A breach of its systems circulates through the industry rather than staying contained to a single entity.
The FBI investigation is ongoing. For insurers and state regulators whose filings, financial statements and rating data now sit on a dark web leak site, the question of what gets done with that data - and when - has no current answer.
