NAIC and ShinyHunters in Dispute Over Data Breach Severity – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit Comparison Table
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform Integration Area
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

NAIC States Data Breach Involves Public Data, Disputes Hackers' Claims

The U.S. National Association of Insurance Commissioners (NAIC) confirmed a breach by the ShinyHunters group via an Oracle PeopleSoft zero-day. NAIC claims only public data was stolen, while the hackers assert they leaked 3.1 TB of critical data.

A lock icon between the NAIC and ShinyHunters logos, with a server room in the background.

What Happened

The National Association of Insurance Commissioners (NAIC), a key regulatory body for the U.S. insurance industry, has confirmed it was targeted by ShinyHunters, a well-known extortion group. The organization announced that it identified unauthorized access to its systems on June 11 and immediately launched an investigation. The attack was reportedly carried out by exploiting a zero-day vulnerability in Oracle's widely used PeopleSoft enterprise software.

The situation escalated after ShinyHunters demanded a ransom from NAIC, which the organization refused to pay. Following the refusal, the group leaked the data they claimed to have stolen. In response, NAIC shared its own findings regarding the scope of the attack and the nature of the exfiltrated data. However, there are significant discrepancies between the institution's statements and the hackers' claims. This has created an environment of uncertainty about the true impact of the cyberattack, leading to a war of words between the two parties.

The Exfiltrated Data

The question of what data was compromised is the main point of contention between NAIC and ShinyHunters. The two narratives paint entirely different pictures of the incident's severity.

NAIC's Statement:

NAIC maintains that its investigation found no evidence that the attackers accessed sensitive information. According to the organization, the leaked data consists largely of information that was already publicly available. This includes:

  • Statutory Financial Reports: Financial statements that insurance companies are required to disclose to the public regularly.
  • Credit Rating Agency Data: Rating data used in the organization's business processes but is generally accessible.
  • Outdated Log Files: Historical log records of system activities that are no longer current.
  • Configuration Information: Infrastructural configuration files for its systems.

In its statement, NAIC strongly emphasized that there is no evidence of personally identifiable information (PII) or any financial data being exposed. The organization also flatly denied ShinyHunters' claims that critical insurance regulatory platforms like SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems) were compromised.

ShinyHunters' Claims:

On the other hand, the ShinyHunters group presents a much larger and more damaging data breach scenario. In an update on June 25, the group published an inventory of the data they claim to have stolen, stating they possess a dataset totaling 3.1 TB and comprising 105,000 files. The group's list includes:

  • Data stolen from INSData and Vision servers.
  • 264,000 insurer regulatory filing PDFs from 2017 to 2024.
  • 2,000 customer, order, and payment records.
  • 45,000 files from rating agencies.
  • AWS infrastructure configuration files used by NAIC.
  • Stored credentials (usernames and passwords) for the production environments of critical systems like SERFF, OPTins, and UCAA.

Interestingly, the hacker group also made a confession. They stated that a previous summary of the stolen data was exaggerated due to "AI hallucinations" from the tool they used to evaluate the files. However, they stressed that the latest published inventory was validated by a human reviewer and should be considered accurate.

How the Attack Occurred

At the core of the attack is a previously unknown vulnerability in Oracle's PeopleSoft enterprise resource planning (ERP) software. Such vulnerabilities are called "zero-days" because they are discovered and exploited before the software developer is aware of them. The specific vulnerability used in this attack is identified as CVE-2026-35273.

ShinyHunters successfully used this vulnerability to infiltrate NAIC's systems. The group employed this attack method not just against NAIC but as part of a broader campaign. According to BleepingComputer, before Oracle publicly disclosed the vulnerability, ShinyHunters was already using it to target both cloud and on-premises Oracle PeopleSoft instances. Extortion notes signed by ShinyHunters were left on the systems of the breached organizations. It is reported that the group has targeted more than 100 organizations using the same vulnerability, with many of the targets being educational institutions that had been previously extorted.

Who Is Affected

The direct target of the attack was NAIC, which operates across all 50 U.S. states to regulate the insurance industry. The attack also had operational consequences for the organization. According to NAIC, credit rating agencies temporarily suspended data feeds, and the association's own investment designation work was paused.

Indirectly, this attack serves as a warning to all organizations using Oracle PeopleSoft software. The fact that ShinyHunters targeted over 100 organizations with the same vulnerability demonstrates the wide-ranging impact of this security flaw. The education sector, in particular, was reported to be a primary target of this campaign.

What You Can Do

Although NAIC states that no personal data was leaked, this incident offers important lessons for both organizations and individuals.

  • For Organizations Using Oracle PeopleSoft: The most critical lesson from this attack is the importance of keeping software updated. Applying the security patch released by Oracle for CVE-2026-35273 is crucial. System administrators should regularly monitor log files for unusual activity and unauthorized access attempts, especially on internet-facing enterprise servers.
  • For All Organizations: Zero-day attacks can challenge even the most prepared organizations. Therefore, adopting a defense-in-depth security architecture can help mitigate the impact of a breach. Furthermore, it is essential to ensure that credentials for critical systems are stored securely.
  • For Individuals: While no personal data was reportedly compromised in this specific incident, such news serves as a reminder of how vulnerable our digital identities are. Avoiding the use of the same password across different platforms and enabling multi-factor authentication (MFA) are fundamental steps of good cybersecurity hygiene.

What the Company Says

In its statement regarding the incident, NAIC aimed to maintain a transparent stance. The organization confirmed it detected the attack on June 11 and that an unauthorized third party gained access to a portion of its IT systems. It stated that a comprehensive investigation concluded that the attackers only accessed publicly available data, outdated logs, and configuration files.

The organization unequivocally denied ShinyHunters' claims of compromising critical platforms like SERFF, OPTins, and SBS, and reiterated that there is no evidence that PII or sensitive financial data was exposed. The statement also shared that all affected systems have now been remediated and that additional defenses are being implemented to prevent future attacks.

Source

https://www.bleepingcomputer.com/news/security/naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach/

This content was generated with AI assistance through our Argus Flow application. We are continuously working to improve Argus Flow; if you encounter any issues such as translation errors, incorrect sources, or unverified information, you can report them using the button below. We appreciate your feedback.

Share This Article
X LinkedIn WhatsApp
← Previous Post US Insurance Regulator Confirms Data Breach

Weekly Newsletter

Curated data breach news delivered to your inbox every week.