The National Association of Insurance Commissioners (NAIC) has disclosed its involvement in a recent cyberattack exploiting an Oracle PeopleSoft vulnerability. This breach is part of a wider hacking campaign that has raised significant concerns in the cybersecurity community.
Oracle PeopleSoft Vulnerability Exploited
The Oracle PeopleSoft zero-day vulnerability, identified as CVE-2026-35273, was revealed on June 11 when Oracle issued an urgent advisory. This vulnerability allows for remote code execution without authentication, posing a serious threat to affected systems. Although Oracle’s advisory did not highlight active exploitation, subsequent confirmations from Google and other entities have verified ongoing attacks.
The cybercrime group known as ShinyHunters has been linked to this campaign, claiming responsibility for targeting numerous organizations to extract sensitive data. The NAIC, a pivotal body in US state insurance regulation, has publicly acknowledged being one of the targets.
Details of the Security Incident
On June 26, the NAIC issued a security notice detailing the unauthorized access discovered on June 11. Hackers managed to penetrate their systems through the PeopleSoft vulnerability, accessing public statutory financial reporting information, credit rating agency data, and older technical logs and configurations.
Importantly, the NAIC reassured that no personally identifiable information or payment details were compromised. Furthermore, the systems of state insurance departments and various regulatory reporting structures remained unaffected, countering initial claims made by the hackers.
ShinyHunters’ Claims and Revisions
ShinyHunters included the NAIC in its list of victims on June 18, alleging the theft of over 105,000 files, equating to more than 3.1 terabytes of data, including 2.1 million insurer regulatory filing documents. However, a later clarification from the cybercriminals indicated that these figures were inflated due to an AI-generated data misinterpretation. The corrected statement reduced the theft to 260,000 documents and removed references to compromised systems as initially alleged by NAIC.
While the University of Nottingham is reportedly another victim of the same hack, it has not specifically associated its breach with the PeopleSoft vulnerability in its public disclosures.
Implications and Future Outlook
This incident highlights the persistent threat posed by sophisticated cyberattacks on major organizations. As more entities potentially affected by the Oracle PeopleSoft campaign come forward, the importance of robust cybersecurity measures and timely vulnerability patches is underscored. Both regulatory bodies and private organizations must remain vigilant against evolving cyber threats.
