ShinyHunters exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft servers to breach NAIC systems. The attackers accessed and exfiltrated publicly available statutory financial reports, outdated logs, configuration files, and some stored credentials. NAIC's investigation found no evidence of exposure of personally identifiable information or sensitive financial data, and disputed claims that critical regulatory platforms were compromised. The breach impacted operations temporarily, including suspension of data feeds by credit rating agencies. NAIC has remediated the affected systems and is implementing additional security measures. The zero-day vulnerability affected both cloud and on-premises PeopleSoft instances and has impacted over 100 organizations, mostly in the education sector.

The breach resulted in the theft of publicly available data, outdated logs, configuration files, and some stored credentials, but no personally identifiable information or sensitive financial data was exposed according to NAIC. Operational impacts included temporary suspension of credit rating agency data feeds and pausing of investment designation work. The incident did not compromise critical insurance regulatory platforms. The attack leveraged a zero-day vulnerability in Oracle PeopleSoft, which has affected multiple organizations beyond NAIC.

NAIC has remediated all affected systems and is implementing additional defenses to prevent future attacks. Oracle has publicly disclosed the zero-day vulnerability (CVE-2026-35273) exploited in these attacks. Organizations using Oracle PeopleSoft should apply Oracle's official patches or mitigations as soon as they become available. Since this is not a cloud service, customers must ensure their on-premises PeopleSoft instances are updated. Patch status is not explicitly confirmed in this data; check Oracle's advisory for current remediation guidance.