NAIC Says Data Taken in Hack Has Been Published Online

Print Email
June 26, 2026 by Chad Hemenway

The National Association of Insurance Commissioners (NAIC) now says the data taken earlier this month from its information technology systems has been published online by the hackers responsible.

In a short note posted midday June 25, NAIC said it was “actively working with an external cybersecurity partner to compare the scope and type of data the group posted with our own analysis.”

Editor’s Note: Story updated to include the latest information posted to NAIC’s website.

Later June 25, NAIC posted another update and, based on its review with an outside data consultant, the data posted includes publicly available statutory financial reporting information as well as credit rating agency data, including rating determinations of insurer investments.

NAIC said this data does not include any rating agency investment rationale reports.

Other data impacted potentially includes NAIC routine technical information, such as outdated logs or configuration information.

NAIC said a complete assessment will take “at least several weeks” but right now there is no evidence that personal identifiable information (PII) or payment or financial account information was impacted.

The support organization for state insurance regulators said it is “committed to transparency as this work proceeds.” NAIC’s regulatory filing systems are operating and secure, it added.

According to multiple online resources, the ShinyHunters ransomware group claimed responsibility for the NAIC breach, and allegedly stole 3.1 terabytes of data.

The group said it had technology provided by the NAIC, including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). However, outside cybersecurity experts involved in an analysis if the breach confirmed this information was not taken.

No employee data, electronic funds transfer, risk-based capital data, policyholder information, producer data, or event registration payment information was accessed, the internal investigation concluded, NAIC said.

Just days ago, NAIC said its investigation found that the group responsible gained unauthorized access to its systems via a zero-day vulnerability in Oracle PeopleSoft. NAIC, which collects and which provides data, technology, and analysis to insurance commissioners, primarily uses PeopleSoft for internal financial reporting purposes.

Related: NAIC Victim of Cyber Incident Via PeopleSoft System

“It is important to remember that the NAIC was targeted by criminals, and like all businesses is addressing an ever-changing cyber risk environment,” said the National Association of Mutual Insurance Companies (NAMIC) in a statement to Insurance Journal. “No one is immune to the threat, and no organization deserves criminal intrusion into their systems.”

Considering the kind and amount of data collected by NAIC, a “concerted effort should be undertaken to assess concentration risk and appropriate mitigation steps,” added NAMIC.

In a letter sent from NAMIC to NAIC, the nonprofit, non-governmental organization received some criticism for its handling of the data it possesses—and the handling of this incident. NAIC said it discovered the cyber intrusion on June 11. It’s first online post was June 17.

The trade association for mutual insurers said it was “troubled” by a lack of communication.

NAIC “did not seem to provide any type of directed alert other than what was posted on the NAIC website, did so nearly one full week after identifying the event occurred, and did not follow similar standards imparted onto insurers for responding to cybersecurity events,” wrote NAMIC to NAIC President Scott White.

The American Property Casualty Insurance Association (APCIA), in a separate letter to NAIC, expressed the need for “clear direction from NAIC” so the trade association could advise member companies who were seeking information about the incident’s scope and implications. APCIA offered its assistance to NAIC.

APCIA could not immediately be reached to comment about the most recent developments.

This article was previously published by Insurance Journal. Reporter Chad Hemenway is the National Editor of Insurance Journal.

Print Email

Was this article valuable?

Here are more articles you may enjoy.

Data Centers Are Being Built in Areas Exposed to Extreme Weather
Bending the Casualty Curve: Why Casualty Analytics Is Approaching Its Inflection Point
How Insurers Know When It’s Time to Scale AI
How to Improve Small Commercial Property Underwriting

Contributor

Chad Hemenway

Our Contributors

Priti Joseph5 Principles for Insurers: Testing Agentic AI’s Next Wave
Vitali YurkevichInsurance AI: What You Won’t Read in the Press Releases
Lisa CameronHow We Did It: How a 150-Year-Old Mutual Transformed Culture to Drive AI
Larissa KnepperViewpoint: Insurers Seek to Navigate Cost of Capital Hurdles to Better Fund Their Futures
Santiago JaramilloHow We Did It: How a 150-Year-Old Mutual Transformed Culture to Drive AI
David HemryHow to Improve Small Commercial Property Underwriting
See All Our Contributors