NAIC Confirms Cyberattack on PeopleSoft Systems by ShinyHunters
The National Association of Insurance Commissioners (NAIC) disclosed a cyberattack on its Oracle PeopleSoft systems, detected on June 11, 2026, and publicly announced on June 23. The breach, attributed to the ShinyHunters hacking group, exploited CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) with a CVSS score of 9.8. The flaw, requiring only HTTP network access, was actively exploited between May 27 and June 9, before Oracle issued an advisory on June 10.
The attackers gained temporary access to data storage areas, though the NAIC confirmed no personally identifiable information (PII), payment data, or banking details were compromised. Exposed data included publicly available statutory financial reporting information and credit rating agency data, specifically insurer investment ratings. Despite ShinyHunters’ claims of breaching multiple NAIC systems including SERFF, OPTins, UCAA, EDP, and RDC cybersecurity experts verified these were not compromised.
Operational disruptions persist: credit rating agencies paused data feeds, and the NAIC temporarily suspended investment designations. Online invoice payments via PeopleSoft remain unavailable. The NAIC, working with Alphabet’s Mandiant and Google Threat Intelligence, has remediated affected systems and blocked unauthorized access. No stolen data has been published as of the announcement.
The incident is part of a broader campaign targeting over 100 organizations worldwide, with most victims in the U.S. (68% in higher education). ShinyHunters, known for data theft and extortion, did not deploy ransomware in this attack. The FBI and external cybersecurity firms are investigating, while the NAIC collaborates with credit rating providers to verify system security before resuming full services a process expected to take months.
The breach underscores the growing threat to regulatory bodies, which face over 600 million identity attacks daily, per Microsoft Entra data. Oracle’s 14-day delay in issuing a patch left organizations vulnerable, highlighting risks in unpatched enterprise software. The NAIC has engaged its cyber insurance carrier in response.
Oracle HCM Users Group (OHUG) cybersecurity rating report: https://www.rankiteo.com/company/oracle-hcm-users-group-ohug-
"id": "ORA1782312365",
"linkid": "oracle-hcm-users-group-ohug-",
"type": "Vulnerability",
"date": "5/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Insurance Regulation',
'location': 'United States',
'name': 'National Association of Insurance '
'Commissioners (NAIC)',
'type': 'Regulatory Body'}],
'attack_vector': 'Exploitation of unpatched vulnerability (CVE-2026-35273)',
'data_breach': {'personally_identifiable_information': 'No',
'sensitivity_of_data': 'Low (publicly available data, no PII '
'or payment information)',
'type_of_data_compromised': 'Statutory financial reporting '
'information, credit rating '
'agency data (insurer investment '
'ratings)'},
'date_detected': '2026-06-11',
'date_publicly_disclosed': '2026-06-23',
'description': 'The National Association of Insurance Commissioners (NAIC) '
'disclosed a cyberattack on its Oracle PeopleSoft systems, '
'attributed to the ShinyHunters hacking group. The breach '
'exploited a critical unauthenticated remote code execution '
'vulnerability in PeopleSoft Enterprise PeopleTools. The '
'attackers gained temporary access to data storage areas, '
'though no personally identifiable information (PII), payment '
'data, or banking details were compromised. Exposed data '
'included publicly available statutory financial reporting '
'information and credit rating agency data.',
'impact': {'data_compromised': 'Publicly available statutory financial '
'reporting information and credit rating '
'agency data (insurer investment ratings)',
'operational_impact': 'Credit rating agencies paused data feeds; '
'NAIC temporarily suspended investment '
'designations; online invoice payments via '
'PeopleSoft remain unavailable',
'systems_affected': 'Oracle PeopleSoft systems (temporary access '
'to data storage areas)'},
'initial_access_broker': {'entry_point': 'Exploitation of CVE-2026-35273',
'reconnaissance_period': 'May 27 to June 9, 2026'},
'investigation_status': 'Ongoing (FBI and external cybersecurity firms)',
'lessons_learned': 'Growing threat to regulatory bodies; risks of unpatched '
"enterprise software; delays in vendor patching (Oracle's "
'14-day delay in issuing a patch for CVE-2026-35273)',
'motivation': 'Data theft and extortion',
'post_incident_analysis': {'corrective_actions': 'Remediation of affected '
'systems; collaboration with '
'credit rating providers to '
'verify security; engagement '
'of cyber insurance carrier',
'root_causes': 'Unpatched vulnerability '
'(CVE-2026-35273); delayed vendor '
'patching'},
'references': [{'source': 'NAIC Disclosure'},
{'source': 'Oracle Advisory (CVE-2026-35273)'},
{'source': 'Microsoft Entra Data'}],
'response': {'containment_measures': 'Remediated affected systems; blocked '
'unauthorized access',
'law_enforcement_notified': 'FBI',
'remediation_measures': 'Collaboration with credit rating '
'providers to verify system security '
'before resuming full services',
'third_party_assistance': 'Alphabet’s Mandiant, Google Threat '
'Intelligence'},
'threat_actor': 'ShinyHunters',
'title': 'NAIC Cyberattack on PeopleSoft Systems by ShinyHunters',
'type': 'Data Breach',
'vulnerability_exploited': 'CVE-2026-35273 (CVSS 9.8, unauthenticated remote '
'code execution in PeopleSoft Enterprise '
'PeopleTools versions 8.61 and 8.62)'}