Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

The National Association of Insurance Commissioners (NAIC) has confirmed it was targeted in the recent hacking campaign that exploited an Oracle PeopleSoft zero-day vulnerability. The PeopleSoft zero-day attacks came to light on June 11, when Oracle published an out-of-band advisory for a vulnerability tracked as CVE-2026-35273, which allows unauthenticated remote code execution.  The company did not mention in-the-wild exploitation in its public advisory, but Google and others confirmed seeing attacks. The ShinyHunters cybercrime group appears to be behind the campaign, claiming to have targeted many organizations to steal their data.  The US state insurance regulatory body NAIC has come forward to say that it was targeted in the campaign.  NAIC is run by state insurance regulators and coordinates policy, develops model laws, and supports oversight across all 50 states. In a security incident notice posted on its website on June 26, NAIC said it learned of unauthorized access to its systems via an Oracle PeopleSoft vulnerability on June 11.  An investigation showed that hackers gained access to publicly available statutory financial reporting information, credit rating agency data, and technical information such as outdated logs and configuration data. According to the NAIC, personally identifiable information, as well as payment and financial account information, was not compromised. The organization said state insurance departments’ systems were not impacted, and neither were various regulatory reporting systems, contrary to what the hackers initially claimed. ShinyHunters added NAIC to its leak website on June 18, claiming to have stolen over 105,000 files totaling more than 3.1 TB, including 2.1 million insurer regulatory filing documents.  The cybercriminals later shared an update saying that the initial statement was based on “an AI-generated misinterpretation of the underlying data” and that some of the claims regarding the type of data that was compromised were not accurate. The updated statement says only 260,000 insurer regulatory filing documents were stolen and removes references to services that NAIC said were not compromised. The cybercriminals claim to have targeted more than 100 organizations in the Oracle PeopleSoft campaign, but NAIC appears to be the first victim to publicly confirm that its data was compromised.  The University of Nottingham is also reportedly a victim of the same operation, but it has not mentioned PeopleSoft in its public disclosure of the incident.  Related: Kodak Admits Data Breach After ShinyHunters Hack Claims Related: More Klue Breach Victims Identified as Hackers Get Hacked WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories $3 Million Reportedly Stolen in Polymarket Hack First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning Cisco SD-WAN Zero-Day Exploited Months Before Patching Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware macOS Weaknesses Chained to Silently Disable Endpoint Security Agents Latest News WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines Straiker Raises $64 Million for AI Security Platform ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access OpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review US Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve OpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AI Chinese Framework Powers 200,000 Scam Sites Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Mark Carter has been appointed Chief Information Security Officer at Socure. Spektrum Labs has named Mark Cravotta Chief Operating Officer. Philip Martin has joined Uber as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email