The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server.
NAIC is a U.S. insurance regulatory organization present in all 50 states. The organization identified on June 11 that its PeopleSoft system had been accessed by an unauthorized party and discovered that “an unauthorized third party gained access to a portion of our IT systems.”
ShinyHunters claimed the attack and leaked the stolen data after the organization refused to pay a ransom.
NAIC responded to the threat actor’s leak and addressed some of the claims. The organization says that the hackers accessed and, in some cases, stole already publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration information.
According to NAIC, the investigation found no evidence of personally identifiable information (PII) or financial data having been exposed and directly disputed the threat actor’s earlier claims that they compromised critical insurance regulatory platforms like SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems).
The incident had operational consequences, with credit rating agencies temporarily suspending data feeds and the NAIC pausing investment designation work, but there are significant discrepancies between the hackers’ claims and the organization’s findings.
In an announcement updated on June 25, ShinyHunters claims to hold 3.1 TB of data corresponding to 105,000 files stolen from NAIC’s systems:
- INSData and Vision servers
- 264,000 insurer regulatory filing PDFs between 2017 and 2024
- 2,000 customer/order/payment records
- 45,000 rating agency files
- AWS infrastructure configs
- Stored credentials for SERFF, OPTins, and UCAA production environments
The hackers also noted in the update that a previous summary of the stolen data was exaggerated due to using AI hallucinations when evaluating the files.
However, according to the threat actor, the latest published inventory was validated by a human reviewer and should be considered accurate.
NAIC stated that all affected systems have now been remediated and that they are implementing additional defenses to prevent future attacks.
ShinyHunter’s hacking spree using the zero-day (CVE-2026-35273) in the PeopleSoft enterprise system has allegedly impacted more than 100 organizations.
BleepingComputer reported about the threat actor’s zero-day attacks before Oracle disclosed the security issue publicly. Both cloud and on-premises Oracle PeopleSoft customer instances were targeted in breaches that left behind extortion demands signed by ShinyHunters.
The hackers told us that most of the targeted organizations were in the education sector and had been previously extorted by the threat actor.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
