NAIC confirms breach as ShinyHunters dumps 3.1TB tied to national insurance systems
The National Association of Insurance Commissioners (NAIC) on Thursday confirmed data was stolen during a recent Oracle zero-day attack earlier this month – all as the notorious ShinyHunters dumps a 3.1TB cache it says is tied to the regulatory body's systems used across the US insurance industry.
-
NAIC confirmed a data breach after ShinyHunters posted 3.1TB of allegedly stolen data online.
-
The leak appears to include insurer filings, cloud infrastructure files, and information tied to systems used across the US insurance industry.
-
The incident highlights how cyberattacks are increasingly targeting organizations that sit at the center of critical financial sectors.
In a breach update on its website, NAIC said it was aware that the “data taken was published online by the group responsible,” without naming the notorious extortionists directly.
The “security incident” – first discovered by NAIC on June 11th – was linked to a recently disclosed zero-day vulnerability affecting Oracle's PeopleSoft software, a cloud-based business management platform the organization said it primarily uses for internal financial reporting purposes.
Why the breach matters
NAIC plays a central role in US insurance regulation, collecting insurer data and operating key systems used by regulators and insurance companies nationwide.
Its data and analysis are used to determine everything from the financial health and credit ratings of major US insurance companies to the regulation of insurance products, pricing, and oversight – meaning a breach of its systems could have a ripple effect on the infrastructure powering the entire US insurance industry.
Falling under the US financial services sector, the federal government classifies the insurance industry as critical infrastructure.
NAIC said no personally identifiable information (PII) or payment information was accessed – including credit card or banking information – and that state insurance departments’ systems were unaffected.
What data was compromised?
Oracle's PeopleSoft is used by more than 10,000 enterprises worldwide.
The ShinyHunters mass-hacking campaign ran from May 27th until an emergency patch was released on June 10th, successfully targeting over 100 organizations and 300 individual instances, according to Google Mandiant.
Posting NAIC on its dark leak site Thursday, ShinyHunters said it was amending a previous “overstatement” about the alleged contents of the data dump, claiming it was now providing more accurate details after "human review."
The mistake was apparently “due to an analytical error and an AI-generated misinterpretation of the underlying data," ShinyHunters wrote.
Meanwhile, in its website update, NAIC said investigators found no evidence that core systems were compromised.
NAIC said unaffected systems include its System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate of Authority Application (UCAA), Electronic Data Platform (EDP), or Regulatory Data Catalog (RDC).
Additionally, NAIC said the following were not accessed: employee personal data, electronic funds transfer, risk-based capital data, policyholder information, producer data, and event registration payment information.
However, files posted by ShinyHunters suggest the alleged 3.1TB dataset could extend far beyond ordinary insurance documents.
The group claims to have stolen the following:
- More than 264,000 insurer regulatory filing PDFs spanning property, casualty, health, and life insurance companies between 2017 and 2024.
- Around 2,000 customer and bulk order records containing names, email addresses, and payment transaction identifiers.
- Approximately 45,000 files from major credit rating agencies, including Moody's, Fitch, S&P, Kroll, DBRS, AM Best, Egan-Jones, and HR Ratings.
- Statutory annual and quarterly financial statements submitted by insurers.
- Production AWS infrastructure logs, cloud configuration files, and workload automation data.
- SQL scripts and what researchers described as stored credentials tied to production environments associated with SERFF, OPTins, and UCAA.
More than just insurance filings
The dataset appears to contain three broad categories of information – insurance industry records, customer information, and technical files that may provide a blueprint of how parts of NAIC's digital infrastructure operate.
The leaked directory listings also reference cloud templates, configuration buckets, application settings, production backups, and automation platforms, suggesting the alleged breach may involve internal infrastructure data in addition to regulatory records.
The concern for NAIC is not necessarily the filing documents themselves, as many of the records may already be available through various regulatory channels.
Security experts warn that infrastructure files, configuration data, and production backups could provide the extortion group with a roadmap of the organization's internal environment.
This could expose how systems are connected, how data moves through the network, and potentially provide access to NAIC's sensitive credentials and administrative functions.
Has your password leaked?
NAIC said operations have returned to normal, with two exceptions: its online invoice payment via PeopleSoft is now available, and it is awaiting assurances from third-party credit rating providers that its systems are secure.
Unlock more exclusive Cybernews content on YouTube.
