Cyber Incident Victim: National Association of Insurance Commissioners
Date:
Jun 2026
Location:
United States of America
Summary
TheNational Association of Insurance Commissioners reported a cyber incident resulting from a zero‑day vulnerability in its PeopleSoft system that was used for internal financial reporting. The association said the breach was promptly contained after detection, no personally identifiable or payment information was accessed, and it engaged outside counsel, cybersecurity experts and the FBI while notifying its cyber insurance carrier. Investigators concluded that none of the claimed data sets—including SERFF, OPTins, UCAA, EDP, RDC, employee, electronic funds transfer, risk‑based capital, policyholder, producer or event registration information—were actually taken, and state insurance department systems remained unaffected. Systems have been remediated and defenses strengthened, while the ShinyHunters group claimed responsibility for the intrusion and alleged theft of over three terabytes of data, a claim not substantiated by the investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The National Association of Insurance Commissioners detected the cyber incident on June 11, 2026. The incident resulted from a broad campaign exploiting a zero‑day vulnerability in Oracle PeopleSoft. NAIC uses PeopleSoft primarily for internal financial reporting purposes. After detection, the incident was promptly contained. NAIC engaged outside counsel and cybersecurity experts to investigate. The FBI was coordinated with as part of the response. NAIC also contacted its cyber insurance carrier regarding the event.
NAIC stated that no personally identifiable information or payment information, including credit card or banking data, was accessed. The systems of state insurance departments were not affected by the breach. There has been no confirmation that any data from NAIC’s environment has been published or released. The hackers claimed to have accessed technology provided by NAIC such as the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). However, a cybersecurity firm involved in the investigation indicated that this information was not taken. The internal investigation concluded that no employee data, electronic funds transfer, risk‑based capital data, policyholder information, producer data, or event registration payment information was accessed. Multiple online sources attribute the breach to the ShinyHunters ransomware group, which claimed to have stolen 3.1 terabytes of data, comprising more than 105,000 files. ShinyHunters had previously claimed responsibility for attacks on Instructure’s Canvas platform, Bumble, Panera Bread, Match Group, and CrunchBase earlier in 2026.
Cybersecurity experts have remediated the affected systems. Additional steps have been taken to shore up defenses. NAIC said it is meeting with credit rating providers to provide third‑party assurances that its systems are secure. NAIC added that, if the data is released by the group responsible, it will engage cybersecurity experts to compare its data with what affected systems have been remediated.