The National Association of Insurance Commissioners said a PeopleSoft security incident has left insurer investment designations suspended and online invoice payments unavailable, even as most operations have returned to normal.
ShinyHunters claimed on its leak site that it obtained more than 3.1 terabytes of NAIC.org data, including regulatory filings, credit rating data, customer records, financial statements and internal system information. NAIC has not confirmed the full scope of the claim or named the group responsible.
The disruption affects a specialized but important part of the insurance regulatory system. NAIC designations are used for insurer investments, and the organization provides data and analysis to help insurance commissioners regulate the industry.
The Kansas City, Missouri-based organization said Friday that most operations had returned to normal, but the designation process remained suspended and online invoice payment through PeopleSoft was still unavailable.
NAIC said some credit rating agencies paused information they provide for the designation process after the incident, forcing the organization to temporarily stop assigning designations to insurer investments.
NAIC said it identified unauthorized access to part of its environment June 11 through an Oracle PeopleSoft vulnerability. The organization said the intruder used the PeopleSoft access to temporarily reach certain data storage areas, and that the access path has been blocked.
NAIC said the incident was tied to a broader campaign targeting Oracle PeopleSoft systems at multiple organizations. Oracle has since issued an advisory for the PeopleSoft flaw, which can be exploited remotely without authentication.
NAIC said the incident did not affect state insurance department systems. The organization also said outside cybersecurity experts confirmed that several major regulatory filing, licensing and data reporting systems were not compromised or taken.
Data accessed or acquired included publicly available statutory financial reporting information, credit rating agency data and potentially routine technical storage information such as outdated logs or configuration details, NAIC said. The organization said it had no current evidence that personal information, credit card information or banking information was accessed.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
NAIC said a consultant is reviewing the data posted by the group against the organization’s preliminary findings. NAIC said it is coordinating with the FBI and has not disclosed whether it received a ransom demand or whether any payment was made.
The disruption echoes an October ransomware outage at MuniOS, a Michigan-based municipal bond disclosure platform, where issuers had to reroute presale offering documents to the Municipal Securities Rulemaking Board’s EMMA system after the site went offline. Both incidents affected specialized financial-regulatory workflows rather than direct consumer services.
NAIC said the access path has been blocked, but it has not said when online invoice payments will return or when insurer investment designations will fully resume.
