The National Association of Insurance Commissioners (NAIC) has confirmed it was targeted in the recent hacking campaign that exploited an Oracle PeopleSoft zero-day vulnerability.
The PeopleSoft zero-day attacks came to light on June 11, when Oracle published an out-of-band advisory for a vulnerability tracked as CVE-2026-35273, which allows unauthenticated remote code execution.
The company did not mention in-the-wild exploitation in its public advisory, but Google and others confirmed seeing attacks.
The ShinyHunters cybercrime group appears to be behind the campaign, claiming to have targeted many organizations to steal their data.
The US state insurance regulatory body NAIC has come forward to say that it was targeted in the campaign.
NAIC is run by state insurance regulators and coordinates policy, develops model laws, and supports oversight across all 50 states.
In a security incident notice posted on its website on June 26, NAIC said it learned of unauthorized access to its systems via an Oracle PeopleSoft vulnerability on June 11.
An investigation showed that hackers gained access to publicly available statutory financial reporting information, credit rating agency data, and technical information such as outdated logs and configuration data.
According to the NAIC, personally identifiable information, as well as payment and financial account information, was not compromised.
The organization said state insurance departments’ systems were not impacted, and neither were various regulatory reporting systems, contrary to what the hackers initially claimed.
ShinyHunters added NAIC to its leak website on June 18, claiming to have stolen over 105,000 files totaling more than 3.1 TB, including 2.1 million insurer regulatory filing documents.
The cybercriminals later shared an update saying that the initial statement was based on “an AI-generated misinterpretation of the underlying data” and that some of the claims regarding the type of data that was compromised were not accurate. The updated statement says only 260,000 insurer regulatory filing documents were stolen and removes references to services that NAIC said were not compromised.
The cybercriminals claim to have targeted more than 100 organizations in the Oracle PeopleSoft campaign, but NAIC appears to be the first victim to publicly confirm that its data was compromised.
The University of Nottingham is also reportedly a victim of the same operation, but it has not mentioned PeopleSoft in its public disclosure of the incident.
Related: Kodak Admits Data Breach After ShinyHunters Hack Claims
Related: More Klue Breach Victims Identified as Hackers Get Hacked
