NAIC Says Data Taken in Hack Has Been Published Online

The National Association of Insurance Commissioners (NAIC) now says the data taken earlier this month from its information technology systems has been published online by the hackers responsible.

In a short note on it’s website, NAIC said it is “actively working with an external cybersecurity partner to compare the scope and type of data the group posted with our own analysis.”

Updates will be posted when available, the NAIC said.

According to multiple online resources, the ShinyHunters ransomware group claimed responsibility for the NAIC breach, and allegedly stole 3.1 terabytes of data.

The group said it had technology provided by the NAIC, including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). However, outside cybersecurity experts involved in an analysis if the breach confirmed this information was not taken.

No employee data, electronic funds transfer, risk-based capital data, policyholder information, producer data, or event registration payment information was accessed, the internal investigation concluded, NAIC said.

Just days ago, NAIC said its investigation found that the group responsible gained unauthorized access to its systems via a zero-day vulnerability in Oracle PeopleSoft. NAIC, which collects and which provides data, technology, and analysis to insurance commissioners, primarily uses PeopleSoft for internal financial reporting purposes.

Related: NAIC Victim of Cyber Incident Via PeopleSoft System

[inline-ad-1]

“It is important to remember that the NAIC was targeted by criminals, and like all businesses is addressing an ever-changing cyber risk environment,” said the National Association of Mutual Insurance Companies (NAMIC) in a statement to Insurance Journal. “No one is immune to the threat, and no organization deserves criminal intrusion into their systems.”

Considering the kind and amount of data collected by NAIC, a “concerted effort should be undertaken to assess concentration risk and appropriate mitigation steps,” added NAMIC.

In a letter sent from NAMIC to NAIC, the nonprofit, non-governmental organization received some criticism for its handling of the data it possesses—and the handling of this incident. NAIC said it discovered the cyber intrusion on June 11. It’s first online post was June 17.

The trade association for mutual insurers said it was “troubled” by a lack of communication.

NAIC “did not seem to provide any type of directed alert other than what was posted on the NAIC website, did so nearly one full week after identifying the event occurred, and did not follow similar standards imparted onto insurers for responding to cybersecurity events,” wrote NAMIC to NAIC President Scott White.

The American Property Casualty Insurance Association (APCIA), in a separate letter to NAIC, expressed the need for “clear direction from NAIC” so the trade association could advise member companies who were seeking information about the incident’s scope and implications. APCIA offered its assistance to NAIC.

APCIA could not immediately be reached to comment about the most recent developments.