Breach Details and Impact
The National Association of Insurance Commissioners (NAIC) has confirmed that the ShinyHunters extortion group breached its Oracle PeopleSoft server by exploiting a zero-day vulnerability, designated CVE-2026-35273. The attack was discovered on June 11, and the organization states that only publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration files were accessed or stolen. NAIC found no evidence that personally identifiable information or financial data was compromised, directly contradicting the threat actor’s claims. The incident caused operational disruptions, including temporary suspension of data feeds by credit rating agencies and a pause in investment designation work.
Discrepancies in Attacker Claims
ShinyHunters initially claimed to have stolen 105,000 files totaling 3.1 TB of data, including insurer regulatory filings, payment records, and credentials for insurance systems like SERFF and OPTins. The hackers later acknowledged that their initial assessment was exaggerated due to AI hallucinations and provided a revised inventory verified by a human reviewer. NAIC maintains that systems such as SERFF, OPTins, and SBS were not compromised. The organization has remediated all affected systems and is implementing additional security measures. This attack is part of a broader campaign where ShinyHunters used the same PeopleSoft zero-day to target over 100 organizations, predominantly in the education sector.
Source: BleepingComputer
