NAIC Confirms Data Breach Linked to Oracle PeopleSoft Vulnerability

The National Association of Insurance Commissioners (NAIC) reported a cybersecurity breach affecting its systems, detected on June 11, 2026. The breach was linked to a zero-day vulnerability in Oracle PeopleSoft, tracked as CVE-2026-35273. Hackers exploited this flaw to access and publish sensitive data, including unpublished credit ratings information from KBRA and other agencies. The NAIC confirmed that no personally identifiable information or financial account data was compromised. Several credit rating agencies, including Moody's and Fitch Ratings, have suspended data feeds to NAIC as a precaution. The breach has impacted the NAIC's ability to assign designations to insurer investments. The FBI is involved in the ongoing investigation, and the NAIC has engaged cybersecurity experts to enhance its defenses. Operations have mostly returned to normal, except for some online services still being unavailable.

Key Points: • The NAIC suffered a breach due to a zero-day vulnerability in Oracle PeopleSoft. • Sensitive data, including unpublished credit ratings, was accessed and published by hackers. • Multiple credit rating agencies have suspended data feeds to NAIC following the incident.