Tweet is 256 chars. Here is the complete article and tweet.

title: "NAIC: ShinyHunters Oracle PeopleSoft Zero-Day Breach" date: 2026-06-30 slug: insurance-body-oracle-peoplesoft-breach

NAIC: ShinyHunters Oracle PeopleSoft Zero-Day Breach

The National Association of Insurance Commissioners (NAIC) has confirmed that threat actors posted data stolen from its systems on a leak site, following the exploitation of a zero-day vulnerability in Oracle PeopleSoft earlier this month. The compromise has rippled across the U.S. insurance sector, with multiple credit ratings agencies, including Moody's, Fitch, and Kroll Bond Rating Agency, suspending data feeds to the NAIC as a precaution. The intrusion is part of a broader campaign tied to the ShinyHunters group that Mandiant says impacted more than 100 organizations.

What Happened

NAIC, the standards body that supplies data, analysis, and expertise to state insurance regulators across the United States, disclosed that its systems were compromised in connection with a critical Oracle PeopleSoft zero-day. After gaining access, the attackers exfiltrated data and published it on a leak site, a hallmark double-extortion tactic associated with the ShinyHunters crew.

The fallout extended beyond NAIC itself. Several credit ratings agencies that routinely submit information to the association moved quickly to limit exposure. Moody's confirmed its data was among the material posted, but stressed the leak was not the result of a breach of its own network. Fitch Ratings confirmed that certain data it had previously submitted to NAIC was caught up in the breach, while noting its own systems and operations were untouched. Kroll Bond Rating Agency suspended its NAIC data feeds until the incident is resolved satisfactorily. AM Best, a ratings agency focused on the insurance sector, said none of its non-public information was affected.

What Was Taken

The stolen and leaked data centers on financial and ratings information tied to insurer investments. According to NAIC, a portion of the exposed information had already been publicly available through state insurance department sites, data resellers, and other insurance data aggregators, which limits the marginal sensitivity of some records.

Critically, NAIC said it found no evidence that financial account data or personally identifiable information was lost, and that its regulatory filing systems remain secure. The exposure appears concentrated in credit ratings and investment-linked datasets rather than consumer or policyholder records, which tempers the immediate downstream risk to individuals even as it raises competitive and confidentiality concerns for the ratings agencies involved.

Why It Matters

NAIC sits at the center of how the United States regulates insurance, channeling data that informs solvency oversight and market conduct decisions by state regulators. A compromise of that hub, even one limited to investment and ratings data, undermines trust in the data supply chain that regulators and ratings agencies depend on.

The precautionary suspension of feeds by Moody's, Fitch, and Kroll illustrates the second-order cost of these incidents. Even when an agency's own network is intact, exposure of submitted data is enough to sever data-sharing relationships and degrade the completeness of regulatory datasets. For defenders, this is a clear case study in third-party and supply-chain risk: a single exploited enterprise application can disrupt an entire industry's information flows and force trusted partners into defensive postures.

The Attack Technique

The intrusion traces back to exploitation of a critical remote code execution flaw in Oracle PeopleSoft, a widely deployed enterprise resource planning and human capital management platform. The ShinyHunters threat group has been linked to the exploitation of this zero-day vulnerability.

Mandiant, the incident response arm of Google Cloud, notified more than 100 organizations that they may have been affected by the activity. Notably, roughly two-thirds of the impacted organizations were educational institutions, suggesting the attackers cast a wide net against internet-facing PeopleSoft deployments rather than targeting the insurance sector exclusively. NAIC's exposure appears to be one outcome of that broad, opportunistic exploitation campaign.

What Organizations Should Do

• Inventory all Oracle PeopleSoft deployments, especially internet-facing instances, and apply Oracle's emergency patches and mitigations for the exploited remote code execution flaw immediately.
• Hunt for indicators of compromise consistent with ShinyHunters activity, including unexpected outbound data transfers, anomalous administrative access, and web shell or RCE artifacts on PeopleSoft hosts.
• Reassess third-party and data-sharing relationships, and be prepared to temporarily suspend feeds to or from compromised partners, as the ratings agencies did, to contain exposure.
• Segment and restrict access to enterprise applications so that a single exploited service cannot expose entire datasets, and enforce least privilege on data submission pipelines.
• Validate backups, logging, and exfiltration detection on ERP and HCM platforms, since these systems concentrate high-value financial and personnel data attractive to extortion groups.
• Maintain a breach communications and disclosure plan that allows rapid, factual confirmation of scope, as NAIC and the ratings agencies did, to preserve trust with partners and regulators.

Sources: Insurance body confirms hackers posted Oracle PeopleSoft breach data | Cybersecurity Dive

TWEET: NAIC breached by ShinyHunters via an Oracle PeopleSoft zero-day. Insurer ratings data posted to a leak site; Moody's, Fitch & Kroll paused feeds. Full breakdown: https://wasteland.me/intel/insurance-body-oracle-peoplesoft-breach #CyberSecurity #ThreatIntel