NAIC criticized regarding cybersecurity event

Published on June 30, 2026

Some credit rating agencies have paused their data feeds following a cybersecurity event involving the National Association of Insurance Commissioners (NAIC), according to their website.

NAIC says it first identified an Oracle PeopleSoft vulnerability on June 11. It adds that an unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas.

“The incident resulted from a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, otherwise known as a ‘zero-day vulnerability,; which affected multiple organizations,” NAIC stated. “NAIC uses PeopleSoft primarily for internal financial reporting purposes.”

Mandiant and Google Threat Intelligence Group (GTIG) identified an active compromise and extortion campaign attributed to ShinyHunters hacking group that targeted Oracle PeopleSoft application infrastructure between May 27 and June 9, according to a post.

It adds that more than 100 global organizations were notified, many of those operating in the higher education spectrum.

On Friday, KBRA issued a statement that it was first notified by NAIC about the breach on June 18. NAIC then contacted KBRA on June 26 to say that KBRA ratings information submitted through a regulatory data feed had been exported during the incident.

“NAIC requires KBRA and other credit rating agencies to provide these data feeds for NAIC designation purposes,” KBRA’s release states. “Based on the information provided to KBRA by the NAIC, the compromised data includes unpublished ratings information and related identifiers but did not include transaction or issuer names or information.”

KBRA notes that its own system was not compromised and that NAIC is responsible for safeguarding the information.

“The period between the NAIC’s discovery of the incident on June 11, its public disclosure on June 18, and its confirmation to KBRA on June 26 that KBRA’s data had been affected limited KBRA’s ability to assess the situation, evaluate potential impacts, and communicate with regulators, clients, and other stakeholders,” KBRA states.

It adds that it has suspended its regulatory data feed to NAIC pending satisfactory resolution.

Fitch Ratings told CybersecurityDive, a cybersecurity publication, that data it previously submitted to NAIC was impacted by the breach.

NAIC notes on its website that other data access or acquired data includes publicly available statutory financial reporting information such as information already available prior to the incident through state websites, InsData, or resellers.

Last week, the New Hampshire Insurance Department (NHID) said it’s monitoring a the NAIC cybersecurity incident, according to a June 26 NHID press release.

It states that, based on information provided by the NAIC to date, there is no current evidence that NHID systems or consumer personal or financial information were affected.

Insurance Commissioner D.J. Bettencourt participated in an NAIC briefing on the matter, and the NHID remains in communication with the NAIC as additional verified information becomes available, the release states.

“Protecting the integrity of our regulatory systems and maintaining public confidence are top priorities for the Department,” said Bettencourt in the release. “I have participated directly in briefings with the NAIC, and based on the information available today, there is no evidence that New Hampshire systems or consumer personal or financial information were affected. We will continue to monitor the situation closely and provide updates if the facts change.”

NAIC says that some additional storage data was included, which contains routine technical information, such as outdated logs or configuration information.

It adds that there’s no current evidence that PII or payment and financial account information was accessed, including credit card or banking information.

NAIC said that it is working with NAIC senior management, outside cybersecurity experts, the FBI and outside counsel.

It says that most of its operations have returned to normal but it is meeting with credit rating agencies on any stems required to restore services. Online invoice payments via PeopleSoft is also not available.

NAIC also asks that if anyone receives suspicious communication claiming to come from NAIC that they do not respond or click any links. It asks that the message be preserved and reported to [email protected].

Insurance NewsNet reports that the National Association of Mutual Insurance Companies sent a letter to NAIC criticizing security and lack of communication.

“It appears evident that the NAIC has not implemented proper cyber guardrails, including practices like segmenting sensitive information systems from one another,” Insurance NewsNet reports Erin Collins, NAMIC senior vice president for state and policy affairs wrote.

During the 2024 MSO Symposium, industry officials discussed how the CDK ransomware attack showed how cyberattacks can ripple through an industry.

Representatives of StoredTech also discussed ransomware attacks and cybersecurity during a 2024 Collision Industry Conference meeting.

Images

Featured image credit: janiecbros/iStock