The Breach That Wasn't
Let's get one thing straight: the NAIC got hit. Hard.
On June 11, 2026, the National Association of Insurance Commissioners — that's the U.S. insurance regulatory body present in all 50 states — discovered an unauthorized party had accessed its PeopleSoft system. The attack vector? A zero-day vulnerability in Oracle's enterprise software, CVE-2026-35273. The same flaw ShinyHunters has been weaponizing against over 100 organizations worldwide.
But here's where the story gets interesting. And by interesting, I mean frustrating.
The hackers claimed they compromised critical insurance regulatory platforms — SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems). They said they walked away with 3.1 terabytes of data across 105,000 files.
The NAIC said: "Nope. You got public filings, outdated logs, and config files. That's it."
And honestly? I believe the NAIC.
Because when you look at what ShinyHunters actually claimed to have stolen — 264,000 insurer regulatory filing PDFs from 2017 to 2024, 45,000 rating agency files, stored credentials for production environments — and then compare that to what the NAIC says was actually accessible? The gap isn't just wide. It's embarrassing.
This is what happens when extortion groups inflate their hauls. They say "we got everything" because they want you to pay. But the data? The data doesn't lie.
Not for long, anyway.
What Was Actually Stolen
So what did ShinyHunters actually walk away with? Let's break it down, because the details matter more than the headlines.
According to NAIC's official security update — updated June 25 and July 8, 2026 — the threat actor accessed:
Publicly available statutory financial reports. These are annual and quarterly financial statements that insurers already publish via InsData. If you've ever pulled an insurer's financials for compliance work, you know where to find these. They're not secret.
Credit rating agency data. Specifically, the rating symbol feeds — things like BBB+, A1, etc. These are the shorthand ratings agencies use to grade investments. Again, not exactly state secrets.
Outdated logs and configuration information. Old system logs. Config files. The kind of stuff that's useful for recon but not exactly a goldmine.
Some additional storage data. NAIC didn't get more specific than this, but it's clearly not the 3.1 TB the hackers claimed.
Here's what wasn't stolen, and this is where NAIC gets very specific:
- No personally identifiable information (PII)
- No banking or payment data
- No policyholder data
- No producer data
- No employee personal information
- No non-public or supplemental compensation exhibit data (these are excluded from InsData anyway)
- No Risk-Based Capital data (confidential, also excluded from InsData)
- No rating agency rationale reports — just the symbols, not the reasoning
- No insurer-specific investment portfolio information that could be linked through rating data
- The state fees payment system was not compromised
And critically: no data was destroyed or exfiltrated beyond what was accessed.
I know what you're thinking. "If it's all public data, why did ShinyHunters claim they got 3.1 TB?"
Good question.
The Hacker Claims vs. Reality
ShinyHunters' leak site told a very different story.
Their June 25 update claimed they had:
- INSData and Vision servers
- 264,000 insurer regulatory filing PDFs (2017-2024)
- 2,000 customer/order/payment records
- 45,000 rating agency files
- AWS infrastructure configurations
- Stored credentials for SERFF, OPTins, and UCAA production environments
That's a lot of files. That's 3.1 terabytes. That's enough to make any insurance regulator sweat.
But then ShinyHunters did something unexpected. They admitted their previous summary was "exaggerated due to using AI hallucinations when evaluating the files." And they said their latest inventory had been validated by a human reviewer.
So which version is accurate? The one with AI hallucinations or the one with human validation?
Here's my take: both might be right, and that's the problem.
The NAIC says ShinyHunters accessed certain data storage areas. Mandiant's investigation confirmed the scope includes PeopleSoft and "certain data storage areas." But NAIC is saying those areas contained only public filings, rating symbols, logs, and configs.
ShinyHunters is saying they got 264,000 PDFs and 45,000 rating agency files.
Now, here's the thing about InsData: it does contain publicly available statutory financial reports and rating symbol feeds. But it doesn't contain non-public compensation exhibits or Risk-Based Capital data — those are explicitly excluded.
So if ShinyHunters is counting every publicly available PDF in InsData as "stolen," they're technically right. But if they're implying they got confidential regulatory data, they're not.
It's the difference between "we accessed the public records" and "we stole your secrets."
One is a breach. The other is an extortion pitch.
And the NAIC isn't buying it.
What Was NOT Compromised
Let me be very clear about what ShinyHunters didn't get, because this matters for the insurance industry.
No SERFF compromise. The System for Electronic Rate and Form Filing — where insurers file rates and policy forms for state approval — was not breached. If you've ever filed a rate increase or a new policy form through SERFF, your submission is safe.
No OPTins compromise. The Online Premium Tax for Insurance system — where insurers pay their premium taxes to states — was not breached. Your tax payments aren't exposed.
No SBS compromise. State-Based Systems, which handle various regulatory functions, were not breached.
No PII. No policyholder data. No producer data. No employee personal information. No banking or payment info.
This is huge. Because when ShinyHunters hits a university and steals 280 million student records, or when they hit Nissan and expose employee SSNs and bank accounts, you hear about it. But when they hit the NAIC and only get public filings? You don't.
But here's what did happen, and it's still significant:
Credit rating providers paused their rating symbol data feeds shortly after being notified. Beginning June 18, the NAIC suspended assigning and publishing NAIC Designations based on CRP ratings in AVS+. Investment designation work was paused.
Why? Because even if the data is public, the integrity of the system matters. If regulators can't trust that their rating feeds are accurate and untampered, the whole framework wobbles.
The NAIC did clarify that Q2 filings (due August 15) can use CRP ratings data as of June 17, 2026. Quarterly reporting should not be delayed. And designations assigned by the Securities Valuation Office or Structured Securities Group are not impacted.
So the operational fallout is real, but it's contained. For now.
The Bigger Picture
This breach didn't happen in a vacuum. CVE-2026-35273 has impacted over 100 organizations globally. Most of the targeted organizations? Higher education.
Why universities? Because they're running PeopleSoft on systems that haven't been patched since the Obama administration. They have hundreds of departments, dozens of legacy systems, and budgets that haven't changed since 2010. And they treat security like a compliance checkbox.
The NAIC isn't a university, but it's running the same software. And it got hit the same way.
Mandiant's investigation confirmed the scope includes PeopleSoft and certain data storage areas. All affected systems have been remediated. The NAIC is implementing additional defenses.
But here's the uncomfortable truth: this zero-day didn't need a phishing email. It didn't need a click. It just needed to be online.
And PeopleSoft is online everywhere. In universities. In hospitals. In automakers. In insurance regulators.
Thousands of times.
The real failure here isn't the vulnerability. It's the assumption that "on-prem" means secure. That "internal system" means safe. That "we don't have sensitive data" means we're not a target.
ShinyHunters doesn't care about your data classification. They care about your software version.
And if you're running PeopleSoft 8.61 or 8.62 without Oracle's emergency mitigations, you're already compromised. The zero-day just gave them a clean entry.
This isn't a zero-day anymore. It's a zero-effort.
And it's still happening.
What This Means for You
If you're a security or compliance analyst working with insurance regulatory data, here's what you need to know:
The NAIC's InsData platform is still operational. The public filings and rating symbol feeds are available. But credit rating providers paused their feeds, so if you're relying on real-time CRP data for compliance work, you might be working with stale information.
Q2 filings are still on track. The NAIC says quarterly reporting should not be delayed. Use CRP ratings data as of June 17, 2026 for your filings due August 15.
Don't trust the hacker claims. ShinyHunters inflated their haul. They admitted it. But they also said their latest inventory was human-validated. So which is it? The answer is: we don't know for sure, and that uncertainty is the point.
Check your own PeopleSoft instances. If you're running the same software, apply Oracle's emergency mitigations. Block the known ShinyHunters IPs (142.11.200.186-190, 108.174.202.99, 176.120.22.24). Audit your SSH keys. Check for .jsp files in WebLogic directories.
Assume you're already compromised if you haven't patched. The zero-day is public. The exploit is in the wild. The question isn't "if" but "when."
And when it happens, don't be surprised if the hackers claim they got everything. They always do.
The data will tell you what they actually took.