What happened
The National Association of Insurance Commissioners confirmed it was targeted in the recent Oracle PeopleSoft zero-day exploitation campaign.
The attacks came to light on June 11, when Oracle published an out-of-band advisory for CVE-2026-35273, an Oracle PeopleSoft vulnerability that allows unauthenticated remote code execution.
Oracle did not mention active exploitation in its public advisory, but Google and other researchers later confirmed that attacks had been observed.
The ShinyHunters cybercrime group appears to be behind the broader campaign and has claimed to have targeted many organizations to steal data.
NAIC, the U.S. state insurance regulatory body, said it learned on June 11 that unauthorized access to its systems had occurred through the Oracle PeopleSoft vulnerability.
NAIC is run by state insurance regulators and supports oversight across all 50 states. Its work includes coordinating policy, developing model laws, and supporting regulatory oversight.
An investigation found that the hackers accessed publicly available statutory financial reporting information, credit rating agency data, and technical information such as outdated logs and configuration data.
NAIC said personally identifiable information, payment information, and financial account information were not compromised.
The organization also said state insurance department systems were not impacted. It added that various regulatory reporting systems were not compromised, contrary to the hackers’ initial claims.
ShinyHunters added NAIC to its leak site on June 18, claiming to have stolen more than 105,000 files totaling over 3.1 TB, including 2.1 million insurer regulatory filing documents.
The group later revised its statement, saying its initial claim was based on an AI-generated misinterpretation of the underlying data. The updated statement said 260,000 insurer regulatory filing documents were stolen and removed references to services that NAIC said were not compromised.
ShinyHunters claims to have targeted more than 100 organizations in the Oracle PeopleSoft campaign, but NAIC appears to be the first victim to publicly confirm that its data was compromised.
Who is affected
NAIC is directly affected by the Oracle PeopleSoft hack.
The incident involved access to publicly available statutory financial reporting information, credit rating agency data, and technical information such as outdated logs and configuration data.
State insurance departments were not affected, and NAIC said personally identifiable information, payment information, and financial account information were not compromised.
Insurance carriers, regulators, and organizations that depend on NAIC data and regulatory systems should still pay attention because the incident involved a central organization in U.S. insurance oversight.
Why CISOs should care
This incident shows how enterprise application vulnerabilities can create data exposure even when the most sensitive categories of information are not compromised.
For CISOs, the Oracle PeopleSoft angle is the key issue. CVE-2026-35273 allows unauthenticated remote code execution, making exposed and unpatched PeopleSoft environments high-priority assets.
The ShinyHunters claims also highlight the challenge of breach communication during extortion activity. The group initially overstated or mischaracterized some compromised data, then revised its claims after saying the earlier statement came from an AI-generated misinterpretation.
That matters for incident response because organizations need to quickly separate attacker claims from verified forensic findings. During public extortion, inaccurate claims can still shape stakeholder concern, media coverage, and regulatory pressure.
3 practical actions
- Patch and isolate Oracle PeopleSoft systems: CVE-2026-35273 allows unauthenticated remote code execution. CISOs should confirm that PeopleSoft systems are patched, restrict external access, and review whether any exposed instances remain reachable.
- Validate attacker claims against forensic evidence: ShinyHunters initially claimed broader access before revising its statement. Incident response teams should preserve evidence, verify actual data exposure, and avoid relying on attacker descriptions when communicating impact.
- Review logs, configuration data, and regulatory reporting systems: NAIC said outdated logs and configuration data were accessed while key regulatory systems were not impacted. Security teams should assess whether exposed technical data could support further attacks and confirm that business-critical reporting systems remain protected.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.