The National Association of Insurance Commissioners (NAIC) has confirmed a cyberattack on its Oracle PeopleSoft systems. The breach, identified on June 11 and announced publicly on June 23, 2026, exposed portions of its data infrastructure. The FBI and outside cybersecurity experts are involved in the investigation.
The NAIC said an unauthorized party exploited a flaw in PeopleSoft to obtain credentials granting temporary access to certain data storage areas. That access has since been blocked and affected systems have been remediated.
The NAIC said the incident is part of a broader criminal campaign that struck more than 100 organizations worldwide.
The campaign has been attributed to ShinyHunters, a group with a record of targeting large organizations for data theft and extortion. Alphabet’s Mandiant unit and Google Threat Intelligence Group confirmed the attribution.
The attack window ran between May 27 and June 9, 2026, according to Google. More than 100 organizations received notifications that their IP addresses matched potentially vulnerable endpoints. Most were based in the US, with 68% in the higher education sector.
The flaw is tracked as CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. It carries a CVSS severity score of 9.8 out of 10 and requires only network access over HTTP to exploit.
Oracle published no advisory until June 10, so the flaw was actively exploited for at least 14 days before any official mitigation existed.
Data accessed included publicly available statutory financial reporting information and credit rating agency data, specifically rating determinations of insurer investments. The NAIC confirmed no personally identifiable information, payment data, credit card, or banking information was accessed.
The group claimed to have obtained several NAIC regulatory systems. Those claims covered the System for Electronic Rate and Form Filing (SERFF), the Online Premium Tax for Insurance (OPTins), the Uniform Certificate Authority Application (UCAA), the Enterprise Data Platform (EDP), and the Regulatory Data Collection (RDC) system. Outside cybersecurity experts confirmed those systems were not compromised.
State insurance department systems were also unaffected. Producer data, policyholder information, risk-based capital data, and employee personal data were not accessed.
The attack method is consistent with a documented shift in how threat actors operate. Industry research found data-theft-only attacks rose from 49% of extortion claims in H1 2025 to 65% in H2 2025. ShinyHunters deployed no encryption, only data acquisition followed by extortion.
One operational impact remains active. Credit rating agencies paused their data feeds after the incident, and the NAIC has temporarily suspended assigning designations to insurer investments. Online invoice payment via PeopleSoft also remains unavailable.
The breach fits a wider pattern of attacks on public regulatory bodies. The FBI’s 2026 Internet Crime Report found US cyber losses hit nearly $21 billion in 2025. Governing bodies rank among the top three most targeted sectors globally. Microsoft Entra data shows those entities receive more than 600 million identity attacks per day.
The NAIC is working with credit rating providers to supply third-party verification of its systems before services resume. It said that process could take months.
The NAIC said it does not believe the group holds the volume or scope of data it has publicly claimed. As of June 23, no data from the NAIC’s environment had been published or released.
The NAIC confirmed it has cyber insurance and has contacted its carrier.
