Back to Feed
BreachesJun 29, 2026

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

Insurance regulator NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters claims 3.1 TB stolen.

Summary

The National Association of Insurance Commissioners (NAIC) confirmed it was targeted in a campaign exploiting Oracle PeopleSoft CVE-2026-35273, a zero-day allowing unauthenticated remote code execution. ShinyHunters claimed to have stolen 3.1 TB of data including regulatory filings, though later corrected claims about the scope. NAIC stated that personally identifiable information and financial account data were not compromised, and state insurance departments' systems remained unaffected.

Full text

The National Association of Insurance Commissioners (NAIC) has confirmed it was targeted in the recent hacking campaign that exploited an Oracle PeopleSoft zero-day vulnerability. The PeopleSoft zero-day attacks came to light on June 11, when Oracle published an out-of-band advisory for a vulnerability tracked as CVE-2026-35273, which allows unauthenticated remote code execution. The company did not mention in-the-wild exploitation in its public advisory, but Google and others confirmed seeing attacks. The ShinyHunters cybercrime group appears to be behind the campaign, claiming to have targeted many organizations to steal their data. The US state insurance regulatory body NAIC has come forward to say that it was targeted in the campaign. NAIC is run by state insurance regulators and coordinates policy, develops model laws, and supports oversight across all 50 states.Advertisement. Scroll to continue reading. In a security incident notice posted on its website on June 26, NAIC said it learned of unauthorized access to its systems via an Oracle PeopleSoft vulnerability on June 11. An investigation showed that hackers gained access to publicly available statutory financial reporting information, credit rating agency data, and technical information such as outdated logs and configuration data. According to the NAIC, personally identifiable information, as well as payment and financial account information, was not compromised. The organization said state insurance departments’ systems were not impacted, and neither were various regulatory reporting systems, contrary to what the hackers initially claimed. ShinyHunters added NAIC to its leak website on June 18, claiming to have stolen over 105,000 files totaling more than 3.1 TB, including 2.1 million insurer regulatory filing documents. The cybercriminals later shared an update saying that the initial statement was based on “an AI-generated misinterpretation of the underlying data” and that some of the claims regarding the type of data that was compromised were not accurate. The updated statement says only 260,000 insurer regulatory filing documents were stolen and removes references to services that NAIC said were not compromised. The cybercriminals claim to have targeted more than 100 organizations in the Oracle PeopleSoft campaign, but NAIC appears to be the first victim to publicly confirm that its data was compromised. The University of Nottingham is also reportedly a victim of the same operation, but it has not mentioned PeopleSoft in its public disclosure of the incident. Related: Kodak Admits Data Breach After ShinyHunters Hack Claims Related: More Klue Breach Victims Identified as Hackers Get Hacked Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs $3 Million Reportedly Stolen in Polymarket HackFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildCal Water Says No OT Systems Breached in Iranian Handala CyberattackLantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningCisco SD-WAN Zero-Day Exploited Months Before PatchingMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwaremacOS Weaknesses Chained to Silently Disable Endpoint Security AgentsThird DraftKings Hacker Sentenced to 18 Months in Prison Latest News ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessOpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity ReviewUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIChinese Framework Powers 200,000 Scam SitesAmazon Q Flaw Enabled Cloud Credential Theft via Malicious RepositoriesMore Klue Breach Victims Identified as Hackers Get HackedIn Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-35273
  • malware — ShinyHunters

Entities

Oracle (vendor)PeopleSoft (product)ShinyHunters (threat_actor)National Association of Insurance Commissioners (NAIC) (vendor)Google (vendor)University of Nottingham (vendor)