The National Association of Insurance Commissioners (NAIC) has confirmed a data breach after an investigation found that hackers exploited a zero-day vulnerability in Oracle PeopleSoft software. The ShinyHunters extortion group claimed to have stolen 3.1 terabytes of data, including insurer regulatory filing documents and credit rating files.
What Happened
The NAIC uses PeopleSoft primarily for internal financial reporting purposes, but attackers were able to use the vulnerability to gain temporary access to certain data storage areas before the organization detected and contained the breach. The unauthorized party exploited the zero-day vulnerability—a flaw unknown to the software developer at the time of the attack—as part of a broad campaign affecting multiple organizations.
The NAIC spotted the attack on June 11 and immediately launched its incident response protocol, which includes notifying law enforcement, blocking malicious actors, and bringing in third-party security experts. The Commission disclosed the incident on June 17, a day before ShinyHunters went public with their claims of stolen data.
Background and Context
The ShinyHunters ransomware group has been linked to several high-profile attacks in recent months, including breaches at Instructure's Canvas platform, Bumble, Panera Bread, Match Group, and CrunchBase. The group claimed responsibility for stealing data from these organizations and demanded ransoms in exchange for not releasing the stolen information.
The NAIC uses PeopleSoft to manage its internal financial reporting, but it is unclear how the attackers were able to gain access to sensitive data. The organization has confirmed that no personally identifiable information (PII) or payment and financial account information was accessed during the breach.
Why It Matters
The data breach at NAIC highlights the importance of robust cybersecurity measures in protecting against zero-day vulnerabilities. The ShinyHunters group exploited a flaw in PeopleSoft software that was unknown to the developer, demonstrating the need for continuous monitoring and patching of systems.
For adult-industry platforms and operators, this incident serves as a reminder of the importance of implementing robust cybersecurity measures to protect against similar attacks. The use of zero-day vulnerabilities by threat actors like ShinyHunters underscores the need for industry-wide collaboration on security best practices and information sharing.
What Comes Next
The NAIC has confirmed that all affected systems have been remediated, and additional steps are being taken to shore up defenses. The organization is also working with credit rating providers to provide third-party assurances that its systems are secure.
In the wake of this incident, it is likely that the NAIC will review its cybersecurity protocols and implement additional measures to prevent similar breaches in the future. This may include investing in advanced threat detection tools, implementing regular security audits, and providing training for employees on cybersecurity best practices.
Key Facts
- The ShinyHunters extortion group claimed to have stolen 3.1 terabytes of data from the NAIC's PeopleSoft system.
- The breach was caused by a zero-day vulnerability in Oracle PeopleSoft software that was being actively exploited by the ShinyHunters group.
- No personally identifiable information (PII) or payment and financial account information was accessed during the breach.
- The NAIC uses PeopleSoft primarily for internal financial reporting purposes, but attackers were able to use the vulnerability to gain temporary access to certain data storage areas.
- The ShinyHunters group has been linked to several high-profile attacks in recent months, including breaches at Instructure's Canvas platform and Bumble.