NAIC Victim of Cyber Incident Via PeopleSoft System

The National Association of Insurance Commissioners (NAIC) said it was the victim of a data breach, though an investigation has found the group responsible is unlikely to have the scope of data it has claimed.

The NAIC said the cyber incident was the result of a broad campaign that affected multiple organizations to exploit a zero-day vulnerability in Oracle PeopleSoft. NAIC uses PeopleSoft primarily for internal financial reporting purposes, it said in a June 23 update of the situation.

No personally identifiable information or payment information—including credit card or banking information—was accessed, said NAIC. It added that the “incident was promptly contained” after its detection on June 11. The association “engaged outside counsel and cybersecurity experts. FBI coordination is underway.”

NAIC also said its cyber insurance carrier was contacted.

There has been no confirmation that data from its environment has been published or released, said the NAIC, which provides data, technology, and analysis to insurance commissioners used in the regulation of the insurance industry. The systems of state insurance departments were not affected, the association said.

Cybersecurity experts have remediated the affected systems and additional steps have been taken to shore up defenses. “We are meeting with credit rating providers to provide third-party assurances that our systems are secure,” NAIC said.

“If the data is released by the group responsible, we will engage cybersecurity experts to compare our data with what affected systems have been remediated,” NAIC added.

The hackers claimed to have access to technology provided by the NAIC such as the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). However, the a cybersecurity firm has this information was not taken. No employee data, electronic funds transfer, risk-based capital data, policyholder information, producer data, or event registration payment information was accessed, the internal investigation concluded.

According to multiple online resources, the ShinyHunters ransomware group claimed to have breached NAIC, and allegedly stole 3.1 terabytes of data—more than 105,000 files.

ShinyHunters also claimed responsibility last month for stealing data from Instructure’s Canvas platform, which schools use for class assignments, and information sharing. Early this year, Bumble, Panera Bread, Match Group, and CrunchBase were also hit by attacks from ShinyHunters.