GoKawiilThe National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server.
NAIC is a U.S. insurance regulatory organization present in all 50 states. The organization identified on June 11 that its PeopleSoft system had been accessed by an unauthorized party and discovered that "an unauthorized third party gained access to a portion of our IT systems."
ShinyHunters claimed the attack and leaked the stolen data after the organization refused to pay a ransom.
NAIC responded to the threat actor's leak and addressed some of the claims. The organization says that the hackers accessed and, in some cases, stole already publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration information.
According to NAIC, the investigation found no evidence of personally identifiable information (PII) or financial data having been exposed and directly disputed the threat actor’s earlier claims that they compromised critical insurance regulatory platforms like SERFF (System for Electronic Rate and Form Filing), OPTins (Online Premium Tax for Insurance), and SBS (State-Based Systems).
The incident had operational consequences, with credit rating agencies temporarily suspending data feeds and the NAIC pausing investment designation work, but there are significant discrepancies between the hackers’ claims and the organization’s findings.
In an announcement updated on June 25, ShinyHunters claims to hold 3.1 TB of data corresponding to 105,000 files stolen from NAIC's systems:
INSData and Vision servers
264,000 insurer regulatory filing PDFs between 2017 and 2024
2,000 customer/order/payment records
... continue reading