Here is the complete intel brief and tweet.

title: "NAIC: PeopleSoft Zero-Day Breach" date: 2026-06-26 slug: naic-peoplesoft-breach

NAIC: PeopleSoft Zero-Day Breach

The National Association of Insurance Commissioners (NAIC) has confirmed that an unauthorized third party breached a portion of its systems by exploiting a zero-day vulnerability in Oracle PeopleSoft. According to the NAIC, the intrusion occurred on or about June 11, 2026, and was publicly disclosed on June 17. The attacker later posted to a leak site claiming to have exfiltrated roughly 3.1 terabytes of data across the NAIC's core regulatory platforms, a figure the NAIC believes to be an overstatement as of June 23. As the central data hub connecting all 50 state insurance departments and thousands of licensed insurers, the NAIC represents a high-value regulatory target with broad downstream exposure.

What Happened

On or about June 11, 2026, an unauthorized actor gained access to a portion of the NAIC's online infrastructure by exploiting a previously unknown flaw in Oracle PeopleSoft. The NAIC primarily uses PeopleSoft for internal financial reporting. While inside that system, the intruder obtained credentials sufficient to reach certain data-storage areas beyond the initial foothold.

The NAIC says it identified the unauthorized access on or about June 11 and activated its incident response procedures to contain and mitigate the impact. The organization states that the access path used by the attacker has since been blocked and remediated. As of the latest updates, the NAIC has continued to publish a chronology of communications to keep regulators, insurers, and the public informed while its investigation proceeds.

What Was Taken

The full scope of stolen data has not been confirmed by the NAIC. The threat actor publicly claimed on a leak site to have taken approximately 3.1 terabytes of data spanning the NAIC's core regulatory platforms. The NAIC has stated it believes that claim to be an overstatement and, as of June 18, had no confirmation that any data from its systems had actually been published or released.

The sensitivity here is significant regardless of the final volume. The NAIC maintains filing and reporting platforms that aggregate data from every state insurance department and thousands of insurers, meaning any confirmed loss could touch regulatory filings, financial reporting, and licensing information across the entire US insurance sector.

Why It Matters

The NAIC sits at the center of US insurance regulation, connecting all 50 state insurance departments and thousands of licensed carriers. A compromise of its infrastructure is not an isolated corporate breach; it is a strike against a national regulatory clearinghouse whose data feeds the oversight of an entire industry.

The use of a genuine zero-day in Oracle PeopleSoft raises the stakes for every organization running the same platform. PeopleSoft is widely deployed across government, education, and large enterprises for HR and financial functions, making it an attractive target for actors seeking broad reuse of a single exploit. The credential-pivot pattern, where access to a financial-reporting system became a path into data-storage areas, underscores how internal back-office systems can serve as launch points into far more sensitive repositories.

The Attack Technique

The NAIC attributes the breach to exploitation of a zero-day vulnerability in Oracle PeopleSoft, a flaw unknown to the developer or its users at the time of the attack. After establishing initial access through PeopleSoft, the actor obtained credentials that allowed lateral movement to certain data-storage areas.

This two-stage pattern, initial exploitation followed by credential harvesting and pivoting, is characteristic of intrusions aimed at maximizing data access rather than simply defacing or disrupting a single application. The NAIC reports that the specific access path has been blocked and remediated, though it has not publicly detailed the exact PeopleSoft component or CVE involved.

What Organizations Should Do

• Inventory all Oracle PeopleSoft deployments and apply vendor patches and emergency advisories immediately as Oracle releases fixes for the underlying zero-day.
• Treat internal financial and HR systems as high-value targets; segment them from sensitive data stores and enforce least-privilege access to limit credential-based pivoting.
• Hunt for indicators of compromise across PeopleSoft hosts, including anomalous authentication, unexpected credential use, and large outbound data transfers consistent with exfiltration.
• Rotate credentials and review service accounts that touch PeopleSoft, assuming that any reachable credential may have been harvested.
• Monitor leak sites and threat-intelligence feeds for claims referencing your organization or sector, and prepare to validate the accuracy of any claimed data volumes.
• Rehearse incident response and public-communication playbooks now, following the NAIC's chronology model of timely, staged disclosure to maintain stakeholder trust.

Sources: The NAIC's PeopleSoft Breach: A Chronology of Communications | InsureReinsure