Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > ShinyHunters Claims 3.1TB Data Theft in Alleged NAIC Breach

ShinyHunters Claims 3.1TB Data Theft in Alleged NAIC Breach

By: Jordan Vector Cybersecurity Expert

Last updated: June 29, 2026

Human Written
ShinyHunters Claims 3.1TB Data Theft in Alleged NAIC Breach
  • ShinyHunters claims to have published 3.1 terabytes of data allegedly stolen from the National Association of Insurance Commissioners (NAIC).

  • The breach has ties to the exploitation of a critical Oracle PeopleSoft vulnerability that affected more than 100 organizations.

  • The incident highlights the growing trend of data-theft extortion attacks that focus on leaking stolen information rather than encrypting systems.

One of the largest cyber incidents to impact the insurance sector this year just unfolded after the cybercrime group ShinyHunters published what it claims is 3.1 terabytes of data stolen from the National Association of Insurance Commissioners (NAIC), the organization that coordinates insurance regulation across all 50 U.S. states.

The publication of the alleged stolen data follows a failed extortion attempt in which the threat actors reportedly demanded contact from the organization before a June 22 deadline. Failure to reach an agreement, the group blew open the data on its dark web leak site.

The incident drew significant attention across the cybersecurity and insurance industries because of the NAIC’s unique role within the U.S. insurance ecosystem. Unlike a typical corporate breach, an incident affecting the regulator potentially touches thousands of insurers, reinsurers, brokers, and financial institutions that submit regulatory filings to the organization.

Oracle Vulnerability Linked to Attack

According to reports, the attack began in late May when ShinyHunters allegedly exploited a critical vulnerability in Oracle PeopleSoft software. The flaw, which received a severity score of 9.8 out of 10, reportedly let attackers obtain credentials and move through affected environments.

The same vulnerability was leveraged in a massive campaign by ShinyHunters that targeted over 100 organizations, highlighting the widespread impact of the flaw.

Security researchers have linked the same vulnerability to attacks against numerous organizations during a roughly two-week period before Oracle publicly released guidance addressing the issue. The NAIC disclosed that it detected suspicious activity on June 11 and subsequently engaged the FBI and external cybersecurity specialists to investigate the incident.

Google’s Mandiant cybersecurity division has reportedly attributed the intrusion to ShinyHunters, a well-known cybercriminal collective associated with numerous high-profile breaches over recent years.

Dispute Over What was Stolen

ShinyHunters initially made broad claims regarding the contents of the alleged dataset but later revised some of its statements, attributing earlier descriptions to analytical errors and AI-generated misinterpretations.

The group now claims the stolen information includes:

  • More than 264,000 insurer regulatory filing documents.
  • Approximately 45,000 files are associated with major credit rating agencies.
  • Insurance financial statements submitted between 2017 and 2024.
  • Around 2,000 customer records.
  • Production logs and cloud configuration files.
  • Database scripts containing credentials tied to production environments.

The NAIC disputes the full scope of these claims. According to the organization, investigators found no evidence of compromise in core operational systems and confirmed that attackers did not access policyholder information, payment data, or any personally identifiable information. The regulator acknowledged that the exposure may have included certain regulatory reports, credit-rating data, and older infrastructure logs.

Insurance Industry Faces Broader Risks

Industry experts note that the incident extends beyond the NAIC itself. As the primary coordinating body for insurance regulation in the United States, the organization maintains extensive filings, financial statements, and regulatory information submitted by insurers operating throughout the country.

Some of the alleged attackers reportedly included financial identifiers such as CUSIP and ISIN numbers in the stolen files, which are widely used in global debt and investment markets. Security researchers warn that configuration files, infrastructure documentation, and cloud environment information can provide threat actors with valuable insights into internal systems, potentially enabling follow-up attacks months after an initial compromise.

The breach has already had operational consequences. Several credit-rating agencies reportedly suspended certain data feeds to the NAIC following the incident, while the organization temporarily halted investment designation activities used by insurers for regulatory compliance purposes.

Rise of Data-Theft Extortion

The NAIC incident reflects a growing trend in cybercrime. Rather than deploying ransomware that encrypts systems, many groups now focus solely on stealing sensitive information and threatening public disclosure. Security researchers say these so-called “data-theft-only” attacks have become increasingly common during the past year.

Under this model, victims restore operations from backups, but attackers keep the stolen information and may still publish it online despite recovery efforts. ShinyHunters have ties to several high-profile incidents in recent months, with the group allegedly targeting organizations across healthcare, government, retail, and financial sectors.

The FBI continues to investigate the NAIC incident. Meanwhile, insurance companies, brokers, reinsurers, and regulatory organizations worldwide are closely monitoring developments, as the breach underscores the risks facing institutions that serve as central repositories for large volumes of industry data.

If the threat actors’ claims are accurate, the incident may represent one of the most significant regulatory-sector data exposures to impact the insurance industry in recent years.

Share this article

About the Author

Jordan Vector

Jordan Vector

Cybersecurity Expert

Jordan is a security researcher and advocate who focuses on making privacy practical. Whether he's explaining how to harden a browser or reporting on the latest surveillance disclosures, his goal is to equip readers with knowledge they can use immediately. Jordan believes that true security begins with understanding the digital landscape.

Comments (0)

No comments.