compliance · BleepingComputer
The National Association of Insurance Commissioners (NAIC) confirmed that the ShinyHunters extortion group breached its Oracle PeopleSoft systems by exploiting a zero-day vulnerability (CVE-2026-35273). The unauthorized access occurred in June 2026. NAIC states that the stolen data consisted of publicly available statutory financial reports, credit rating agency data, outdated logs, and configuration files. The organization found no evidence that personally identifiable information or financial data were compromised, and disputed ShinyHunters' claims that critical insurance platforms such as SERFF, OPTins, and SBS were compromised. ShinyHunters later published an inventory claiming 3.1 TB of data including regulatory filing PDFs, configuration files, and stored credentials, though the threat actor acknowledged earlier summaries contained AI-generated inaccuracies.
For Omniware's buyers, this incident underscores the risk of zero-day exploitation in enterprise systems managing regulated data. Defense contractors and financial services firms relying on legacy enterprise software should review their patch management and zero-day response procedures as part of CMMC Level 3 and NIST 800-171 compliance. Healthcare and fintech organizations handling sensitive systems should assess whether similar vulnerabilities could expose PII or payment data under their SOC2 Type II or PCI DSS controls. An Omniware engagement can evaluate your organization's vulnerability disclosure response, configuration hardening, and access controls for systems managing regulatory or sensitive data.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach/
Source: BleepingComputer
All briefings