Oracle: US Federal Insurance Regulator Confirms Data Breach Via Oracle Flaw

Oracle: US Federal Insurance Regulator Confirms Data Breach Via Oracle Flaw

NAIC Suffers Data Breach Exposing US Citizens’ Credit Rating Data

The US National Association of Insurance Commissioners (NAIC) disclosed a security breach on June 17, following its detection on June 11. The incident stemmed from the exploitation of a zero-day vulnerability in Oracle PeopleSoft, a system used by the NAIC for internal financial reporting. The attack was part of a broader campaign targeting the same flaw across multiple organizations.

The unauthorized actor accessed and published data from the NAIC’s PeopleSoft environment, including:

  • Publicly available statutory financial reporting information
  • Credit rating agency data, such as insurer investment ratings
  • Potentially outdated technical logs or configuration files

In response, some credit rating agencies paused data feeds, leading the NAIC to temporarily suspend assigning designations to insurer investments. The association confirmed that critical data remained unaffected, including personal information of users and employees, payment details, and regulatory reporting systems like SERFF, OPTins, and the Enterprise Data Platform (EDP).

The NAIC contained the breach swiftly, blocking further access and engaging cybersecurity experts and outside counsel to bolster defenses. The FBI is also coordinating the investigation. While most operations have resumed, online invoice payments via PeopleSoft remain unavailable. The NAIC has since provided assurances to credit rating providers that its systems are secure, allowing the designation process to restart.

Source: https://www.infosecurity-magazine.com/news/us-insurance-regulator-confirms/

Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle

"id": "ORA1782728779",
"linkid": "oracle",
"type": "Vulnerability",
"date": "6/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Credit rating agencies, '
                                              'insurers',
                        'industry': 'Insurance Regulation',
                        'location': 'United States',
                        'name': 'National Association of Insurance '
                                'Commissioners (NAIC)',
                        'type': 'Regulatory Organization'}],
 'attack_vector': 'Zero-day vulnerability exploitation',
 'data_breach': {'data_exfiltration': 'Yes (data published by unauthorized '
                                      'actor)',
                 'personally_identifiable_information': 'None (confirmed '
                                                        'unaffected)',
                 'sensitivity_of_data': 'Low to moderate (publicly available '
                                        'or outdated data; no PII or payment '
                                        'details exposed)',
                 'type_of_data_compromised': 'Statutory financial reporting '
                                             'information, credit rating '
                                             'agency data, technical '
                                             'logs/configuration files'},
 'date_detected': '2024-06-11',
 'date_publicly_disclosed': '2024-06-17',
 'description': 'The US National Association of Insurance Commissioners (NAIC) '
                'disclosed a security breach on June 17, following its '
                'detection on June 11. The incident stemmed from the '
                'exploitation of a zero-day vulnerability in Oracle '
                'PeopleSoft, a system used by the NAIC for internal financial '
                'reporting. The unauthorized actor accessed and published data '
                'from the NAIC’s PeopleSoft environment, including publicly '
                'available statutory financial reporting information, credit '
                'rating agency data, and potentially outdated technical logs '
                'or configuration files. Some credit rating agencies paused '
                'data feeds, leading to a temporary suspension of assigning '
                'designations to insurer investments. The NAIC confirmed that '
                'critical data, including personal information of users and '
                'employees, payment details, and regulatory reporting systems, '
                'remained unaffected.',
 'impact': {'data_compromised': 'Publicly available statutory financial '
                                'reporting information, credit rating agency '
                                'data, potentially outdated technical logs or '
                                'configuration files',
            'operational_impact': 'Temporary suspension of assigning '
                                  'designations to insurer investments; online '
                                  'invoice payments via PeopleSoft unavailable',
            'payment_information_risk': 'None (confirmed unaffected)',
            'systems_affected': 'Oracle PeopleSoft (internal financial '
                                'reporting system)'},
 'initial_access_broker': {'entry_point': 'Zero-day vulnerability in Oracle '
                                          'PeopleSoft'},
 'investigation_status': 'Ongoing (coordinated by FBI)',
 'post_incident_analysis': {'corrective_actions': 'Bolstered defenses, '
                                                  'containment of affected '
                                                  'system, engagement of '
                                                  'cybersecurity experts',
                            'root_causes': 'Exploitation of zero-day '
                                           'vulnerability in Oracle '
                                           'PeopleSoft'},
 'references': [{'date_accessed': '2024-06-17',
                 'source': 'NAIC Public Disclosure'}],
 'response': {'communication_strategy': 'Public disclosure, assurances to '
                                        'credit rating providers',
              'containment_measures': 'Blocking further access to the affected '
                                      'system',
              'law_enforcement_notified': 'FBI',
              'recovery_measures': 'Resumption of most operations; online '
                                   'invoice payments via PeopleSoft remain '
                                   'unavailable',
              'remediation_measures': 'Engaging cybersecurity experts and '
                                      'outside counsel to bolster defenses',
              'third_party_assistance': 'Cybersecurity experts, outside '
                                        'counsel'},
 'stakeholder_advisories': 'Assurances provided to credit rating providers '
                           'that systems are secure',
 'title': 'NAIC Suffers Data Breach Exposing US Citizens’ Credit Rating Data',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Zero-day vulnerability in Oracle PeopleSoft'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.