A major insurance regulator just found itself at odds with the hacking group that broke into its systems. The NAIC data breach, first detected on June 11, has turned into a public dispute over exactly what was stolen and how serious the damage really is.
The National Association of Insurance Commissioners, which oversees insurance regulation across all 50 states, confirmed that an unauthorized party accessed a portion of its IT systems. The intrusion came through a zero-day vulnerability in an Oracle PeopleSoft server, a flaw later tracked as CVE-2026-35273. ShinyHunters, the extortion group behind the attack, claimed credit and published stolen files after NAIC declined to pay a ransom.
What ShinyHunters Claims to Have Taken
ShinyHunters initially painted a dramatic picture of the breach. The group said it pulled 3.1 terabytes of data spread across roughly 105,000 files from NAIC’s INSData and Vision servers. Their list of stolen material included over 264,000 insurer regulatory filing PDFs spanning 2017 to 2024, around 2,000 customer and payment records, 45,000 rating agency files, and AWS infrastructure configuration data.
Most alarming was the claim that login credentials for SERFF, OPTins, and UCAA production environments had also been exposed. Those systems handle electronic insurance rate filings and premium tax processing, so any real compromise there would carry serious consequences for the broader insurance industry.
NAIC Pushes Back on the Scale of the Breach
NAIC’s response told a much different story. The organization says its investigation found no evidence that personally identifiable information or financial data was ever exposed. It also directly disputed claims that core regulatory platforms like SERFF, OPTins, and SBS were compromised in any meaningful way.
According to NAIC, what the attackers actually accessed and stole was already publicly available material. This included statutory financial reports, credit rating agency data, outdated system logs, and configuration files that held little operational value. The gap between what ShinyHunters claimed and what NAIC says actually happened sits at the center of this NAIC data breach story.
There were still real consequences. Credit rating agencies temporarily suspended their data feeds to NAIC as a precaution, and the organization paused its investment designation work while it assessed the situation. NAIC says all affected systems have since been remediated and that additional security measures are being put in place.
An Unusual Admission From the Attackers
One detail sets this incident apart from typical breach disputes. In an update to its claims, ShinyHunters admitted that an earlier summary of the stolen data had been exaggerated because the group relied on AI tools that hallucinated details while reviewing the files. The group said its newer, more conservative file count was checked by a human reviewer instead and should be treated as the accurate version.
This kind of admission is rare among extortion groups, which usually inflate claims rather than walk them back. It also raises a broader point about how threat actors are now using AI during the post-breach analysis phase, and how that can introduce its own errors into ransom negotiations and public leak claims.
Part of a Wider PeopleSoft Attack Campaign
The NAIC data breach is not an isolated event. ShinyHunters has been running a much larger campaign against organizations running Oracle PeopleSoft, exploiting the same zero-day before Oracle had even disclosed the issue publicly. The group has reportedly hit more than 100 organizations through this campaign, with many of the targets coming from the education sector.
Several of the affected organizations had reportedly been extorted by ShinyHunters before, suggesting the group is returning to previous victims as well as expanding to new ones. This pattern points to a coordinated, large-scale operation rather than a single opportunistic attack against NAIC.
Final Thoughts
The NAIC data breach is a useful example of how attacker claims and organizational findings can diverge sharply after a leak. ShinyHunters initially described a sweeping compromise of sensitive regulatory infrastructure, but NAIC’s own investigation paints a far more limited picture involving mostly public and outdated data.
For organizations running Oracle PeopleSoft or similar enterprise systems, the case is a reminder that zero-day vulnerabilities can be exploited well before patches or public advisories exist. Verifying breach claims independently, rather than taking extortion group statements at face value, remains essential when assessing real exposure. Using a VPN and strong endpoint security practices can also reduce the risk of credentials and internal systems being exposed during similar large-scale exploitation campaigns.