Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response
Extortionists Add National Association of Insurance Commissioners to Breach List

Car-manufacturing giant Nissan and the U.S. National Association of Insurance Commissioners are the latest organizations to confirm they fell victim to cyber extortionists who wielded a zero-day exploit against Oracle PeopleSoft.
See Also: Know Thy Enemy: Threats to Cyber Resilience
ShinyHunters, a financially motivated cybercrime group with a history of stealing data and holding it for ransom, claimed credit for the PeopleSoft campaign. The group has listed a number of putative victims on its data-leak site, including Sysco, Ralph Lauren, Inter-Con Security, Kodak and Amazon-owned primary care service One Medical. The extortionists are threatening to leak stolen data online unless victims pay it a ransom (see: ShinyHunters Threatens to Leak Amazon One Medical Records).
Data breach notifications filed last week with the California state attorney general’s office reveal that Nissan fell victim to the campaign, although the company does not appear on ShinyHunters data-leak site.
Nissan is one of the world’s 10 largest automakers. It uses PeopleSoft to handle personnel records, including for payroll and tax administration purposes, and warned current and former employees that their personal information may have been stolen.
“Nissan was specifically targeted in this attack,” wrote Leon Martinez, vice president and chief human resources officer for Franklin, Tennessee-based Nissan America, in the breach notifications.
Investigators believe data pertaining to current and former employees in the United States, Canada, Mexico and Brazil was stolen. This includes contact and bank account information, Social Security or other government identification numbers, personal financial and tax details, as well as information pertaining to dependents and beneficiaries.
Another victim of the PeopleSoft-targeting campaign was the National Association of Insurance Commissioners. Headquartered in Kansas City, Missouri, it provides data to insurance regulators.
The organization published a data breach notification at the close of business on Friday, confirming the theft of data and that it was published online by the attacker.
“The NAIC uses PeopleSoft primarily for internal financial reporting purposes,” it said. “We are actively working with an external data consultant to compare the scope and type of data the group posted with our own preliminary analysis,” it said.
ShinyHunters first listed NAIC on its data-leak blog on June 18, claiming to have stolen 3.1 terabytes of data including from the association’s enterprise data platform and regulatory data collection platform. NAIC called these claims overblown. “Outside cybersecurity experts confirmed the unauthorized party did not take this information, nor compromised these regulatory reporting systems,” NAIC said.
ShinyHunters on Thursday revised its summary of what it stole, blaming “an analytical error and an artificial intelligence-generated misinterpretation of the underlying data” for getting it wrong. The group now claims to have compromised 105,000 files from NAIC’s filing and credit rating platform, including 264,000 filings from 2017 through 2024.
NAIC said that its investigation, which remains ongoing, has so far found the stolen data appears to only comprise already publicly available information that it’s statutorily required to report. “These statements were publicly available prior to this incident through state websites, InsData or resellers,” and includes credit ratings, but none of the underlying rationale, it said.
Some “storage data” was also exposed, which the organization said comprised only “routine technical information, such as outdated logs or configuration information.”
NAIC assigns investment risk designations to securities in insurers’ portfolios. The company said this service remains suspended, although expects to have all systems fully restored within several weeks.
Zero-Day Exploit
Oracle first warned in a June 10 security advisory, accompanied by patches, that attackers were targeting CVE-2026-35273, a critical remote code execution vulnerability in PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and potentially also in Oracle PeopleSoft Enterprise Applications.
“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution,” Oracle warned.
An attack campaign targeting the flaw and exfiltrating data ran from May 27 to June 9 and has been attributed to ShinyHunters, also tracked as UNC6240, said Google threat researchers on June 11.
“Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints,” Google said, with two-thirds of those organizations being “academic institutions, including universities and colleges worldwide” (see: ShinyHunters Hits Universities Via Oracle Zero-Day).
The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its catalog of known-exploited vulnerabilities on June 12, warning that it was being used in ransomware campaigns.
