NAIC confirms data breach after Oracle PeopleSoft zero-day exploited by ShinyHunters

On 23 June 2026, the National Association of Insurance Commissioners (NAIC) — the Kansas City–based standard-setting and regulatory-support organization for the chief insurance regulators of the 50 U.S. states, the District of Columbia, and the five U.S. territories — confirmed that it had suffered a data breach after attackers exploited a zero-day vulnerability in Oracle PeopleSoft. The NAIC said unauthorized access to a portion of its environment was identified on 11 June 2026 and that the intrusion was part of a broad campaign that affected multiple organizations worldwide.

What happened

The breach stemmed from active exploitation of CVE-2026-35273, a critical remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools rated 9.8 on the CVSS scale, which requires no authentication and no user interaction. Google's Mandiant attributed the wider campaign to the extortion group it tracks as UNC6240, better known as ShinyHunters, dating the activity from 27 May 2026 — before Oracle issued an out-of-band advisory and patch on 10 June — meaning the flaw was a true zero-day throughout the exploitation window. ShinyHunters has claimed to have compromised more than 100 organizations and over 300 PeopleSoft instances using the bug.

Data exposed

The NAIC said it uses PeopleSoft primarily for internal financial reporting and that its investigation concluded no personally identifiable information or payment data was accessed — specifically no employee data, electronic funds transfer details, risk-based capital data, policyholder information, producer data, or event-registration payment information. ShinyHunters, however, claimed to have exfiltrated more than 3.1 terabytes of data comprising over 105,000 files, and by 25 June 2026 the organization confirmed that the stolen data had been published online by the threat actor.

Context

The NAIC does not directly regulate insurers but provides the technology, data, and model frameworks that underpin state-based insurance regulation across the United States, making it a high-value target whose compromise drew scrutiny from the insurance sector and regulators alike. The incident is one of the more prominent confirmed victims of the ShinyHunters PeopleSoft campaign, which disproportionately hit higher-education institutions but extended to government-adjacent and financial bodies, underscoring how a single unpatched enterprise application can expose large volumes of sensitive organizational data to mass extortion.

Timeline

May 27, 2026

ShinyHunters begins exploiting an Oracle PeopleSoft zero-day (CVE-2026-35273) in a broad campaign that ultimately compromises more than 100 organizations.

June 10, 2026

Oracle releases an out-of-band emergency advisory and patch for CVE-2026-35273, a critical remote code execution flaw in PeopleSoft Enterprise PeopleTools.

June 11, 2026

NAIC identifies unauthorized access to a portion of its environment tied to the PeopleSoft exploitation.

June 23, 2026

NAIC publicly discloses the security incident, attributing it to the broad zero-day campaign.

June 25, 2026

NAIC confirms that data taken in the breach has been published online by ShinyHunters, which claims more than 3.1 TB and over 105,000 files.

Sources

insurancejournal.comhttps://www.insurancejournal.com/news/national/2026/06/24/875119.htm

insurancejournal.comhttps://www.insurancejournal.com/news/national/2026/06/25/875334.htm

content.naic.orghttps://content.naic.org/about/security-update

cybernews.comhttps://cybernews.com/news/naic-breach-shinyhunters-3tb-insurance-systems-data/

scworld.comhttps://www.scworld.com/brief/naic-confirms-cyberattack-after-shinyhunters-claims-3-1tb-data-theft

thehackernews.comhttps://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html

Related incidents

Zero-dayOngoingJune 10, 2026

Oracle PeopleSoft PeopleTools zero-day exploited by ShinyHunters (CVE-2026-35273)

Oracle issued an emergency out-of-band alert after the ShinyHunters crew exploited a critical unauthenticated remote-code-execution zero-day in PeopleSoft PeopleTools to steal data from more than 100 organisations, most of them universities.

Victim: Oracle PeopleSoft

Data breachOngoingJune 14, 2026

ShinyHunters claims theft of 297GB of Council of Europe payroll and HR data via Oracle PeopleSoft zero-day

The extortion group ShinyHunters claimed it stole roughly 297GB of payroll, HR and financial records belonging to more than 10,000 current and former Council of Europe staff by exploiting the Oracle PeopleSoft zero-day CVE-2026-35273, prompting the intergovernmental body to investigate.

Victim: Council of Europe

Data breachOngoingJune 2, 2026

DentaQuest ShinyHunters data breach exposes 2.6 million accounts (2026)

Dental benefits administrator DentaQuest confirmed a network breach after the extortion group ShinyHunters leaked roughly 234 GB of stolen data, exposing personal, identity, and health-insurance information tied to about 2.6 million accounts.

Victim: DentaQuest
Records: 2.6M

Zero-dayResolvedMay 31, 2023

MOVEit Transfer mass exploitation (Cl0p)

Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to mass-extort over 2,700 organizations, including the BBC, British Airways, and the U.S. Department of Energy.

Victim: Progress Software MOVEit Transfer (2,700+ downstream)
Loss: $12.15B
Records: 95.0M