CRIME & LAW

United States insurance regulators hit by major ransomware attack

▪

Read, Watch or Listen

Media Bias Meter

Sources: 2

Center 100%

Sources: 2

United States – The National Association of Insurance Commissioners (NAIC), a key U.S. standard‑setting body for insurance regulation, has confirmed it was the victim of a ransomware attack that exploited a critical vulnerability in its Oracle PeopleSoft systems. The organization said it identified the breach on June 11, 2026, and later detailed the incident in a public announcement on June 23, 2026. According to the NAIC, an unauthorized third party leveraged CVE-2026-35273, an unauthenticated remote code execution flaw in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, to obtain credentials and gain temporary access to certain data storage areas before the access was blocked and the affected systems were remediated. United States – The NAIC said it brought in the Federal Bureau of Investigation and external cybersecurity experts to conduct a comprehensive investigation into the incident and to assess the scope of data exposure. Security researchers from Google Threat Intelligence Group and Alphabet’s Mandiant unit confirmed that CVE-2026-35273 had been actively exploited as a zero‑day for at least 14 days, from May 27 to June 9, 2026, before Oracle released a security advisory and mitigation patch on June 10. The cybercriminal group ShinyHunters has claimed responsibility for the attack, stating on a dark web forum hosted on the Tor network that it exfiltrated 3.1 terabytes of data from NAIC systems.

Prepared by Emily Rhodes and reviewed by editorial team.

Timeline of Events

May 27, 2026 Attackers begin exploiting PeopleSoft zero-day
June 9, 2026 Exploit window for vulnerability reportedly ends
June 10, 2026 Oracle publishes advisory and mitigation patch
June 11, 2026 NAIC detects breach, blocks unauthorized access
June 11, 2026 NAIC starts remediation on affected systems
June 18, 2026 ShinyHunters claims attack on dark web
June 23, 2026 NAIC issues detailed public incident announcement

Why This Matters to You

This attack on the NAIC, a key insurance regulator, could potentially affect your insurance data. It's a reminder to be proactive about your digital safety. Regularly update your software and use strong, unique passwords for your accounts.

The Bottom Line

Cybersecurity is a shared responsibility. The NAIC is working with the FBI and cybersecurity experts to investigate this breach. While the extent of the data exposure is still unclear, it's a wake-up call for all of us. Worth forwarding if you know someone who needs a nudge to update their passwords.