A hacking campaign against Oracle’s PeopleSoft software has compromised more than 100 organizations. The breach raises fresh exposure concerns for cyber underwriters and the higher education clients they cover.
Alphabet’s Mandiant unit and Google Threat Intelligence Group attributed the campaign to the group ShinyHunters, Reuters reported.
The attacks ran between May 27 and June 9, 2026, according to Google.
PeopleSoft is an enterprise resource planning suite. Organizations use it to manage human resources, finance, and supply-chain operations.
Google said it notified more than 100 organizations whose IP addresses matched potentially vulnerable endpoints. Most were based in the US, and 68% were in the higher education sector, according to Reuters.
The breach landed before Oracle issued a security advisory on June 10. The hackers, therefore, exploited the flaw as a “zero-day,” with no patch available at the time. Zero-day events often fall outside exclusions that depend on a known, unpatched vulnerability.
The zero-day nature of the attack points to a known underwriting blind spot. Industry experts have warned that an unforeseen exploitation of a widely used control can force carriers to re-underwrite risk quickly.
They have also flagged vendor aggregation exposure, where one software flaw cascades across many insured clients, as a growing market concern.
ShinyHunters has a record of targeting global companies for extortion. Last month, the group struck a deal with Instructure, the parent company of the education platform Canvas, to secure stolen student and school data, Reuters reported.
The Canvas breach showed the scale of that accumulation risk. The incident potentially exposed the data of up to 275 million students across roughly 9,000 institutions.
A single compromise of a shared platform can trigger claims for incident response, business interruption, and privacy liability across thousands of organizations at once.
The PeopleSoft campaign also fits a wider move away from encryption toward pure data theft. Industry research found that data-theft-only attacks rose from 49% of extortion claims in the first half of 2025 to 65% in the second half. This trend raises breach-notification and regulatory costs for insurers.
The campaign reinforces the value of incident response planning and vendor patch management as conditions of coverage. Insurers increasingly tie premium terms and claim outcomes to how quickly a policyholder can detect and contain an intrusion.
