US Insurance Regulator NAIC Confirms Data Breach Via Oracle PeopleSoft Zero-Day
The National Association of Insurance Commissioners (NAIC) confirmed a data breach resulting from exploitation of a zero-day vulnerability in Oracle PeopleSoft, exposing credit rating data.
The National Association of Insurance Commissioners (NAIC), the standard-setting body for US federal insurance regulators, has confirmed a significant data breach that compromised credit rating agency data and other financial reporting information. The breach, detected on June 11 and publicly disclosed on June 17, was attributed to the exploitation of a previously unknown zero-day vulnerability in Oracle PeopleSoft, a system used by the NAIC for internal financial reporting.
According to the NAIC's latest update on June 26, an unauthorized actor gained access to a portion of its IT environment by exploiting this vulnerability. The attackers then exfiltrated and subsequently published some of the accessed data. This campaign is described as a broad effort to exploit the PeopleSoft flaw, affecting multiple organizations beyond the NAIC.
The compromised data includes statutory financial reporting information that is often publicly available through state websites, as well as credit rating agency data related to insurer investments. The NAIC also noted the potential exposure of routine technical information such as outdated logs. In response to the incident, some credit rating agencies have temporarily paused their data feeds, leading the NAIC to suspend its designation process for insurer investments.
Crucially, the NAIC has detailed what data was *not* compromised. This includes personal information of NAIC users and employees, payment and financial account details, specific investment rationale reports from rating agencies, information related to US state insurance departments, data linked to the National Insurance Producer Registry (NIPR) or Teammate software, and certain insurance process data like policyholder information and electronic funds transfers.
Furthermore, the NAIC explicitly denied claims that the attackers accessed data from systems like SERFF, OPTins, UCAA, EDP, and RDC, with external cybersecurity experts corroborating these assertions. The association emphasized that these critical regulatory reporting systems remain secure.
Upon detection, the NAIC acted swiftly to contain the breach, blocking the attacker's access and engaging external cybersecurity experts and legal counsel to bolster defenses. Coordination with the FBI is ongoing. The association reported that its operations have largely returned to normal, with the exception of online invoice payments via PeopleSoft, which remain unavailable.
The NAIC is working with credit rating providers to assure them of its system security and to resume the designation process. This incident highlights the ongoing threat posed by zero-day exploits targeting widely used enterprise software, even within critical infrastructure sectors like insurance regulation.
Nissan Americas has confirmed its own employees were impacted by the same Oracle PeopleSoft zero-day exploitation that affected the NAIC. The automaker disclosed that the breach, which occurred between May 27 and June 9, may have exposed sensitive payroll records, bank details, and Social Security numbers of current and former employees across the US, Canada, Mexico, and Brazil. Nissan is cooperating with Oracle and law enforcement on the investigation and has implemented enhanced access controls for payroll data.