The National Association of Insurance Commissioners (NAIC) disclosed a cybersecurity incident after attackers exploited a zero-day vulnerability in Oracle PeopleSoft.
The association said the attack formed part of a broader campaign targeting multiple organisations using the software. State insurance department systems were not affected, according to Beinsure.
The NAIC detected the unauthorised access on June 11 and contained the incident shortly afterwards. The association engaged external cybersecurity experts, retained outside legal counsel, notified its cyber insurance carrier and coordinated the investigation with the Federal Bureau of Investigation.
According to Beinsure, investigators concluded the attackers do not possess the volume or scope of information they publicly claimed. As of the latest update, the NAIC said it has no confirmation that data from its environment has been published or released.
The association stated that no personally identifiable information, payment information, credit card details or banking information was accessed.
Investigators also found no evidence that employee personal information, electronic funds transfer records, risk-based capital data, policyholder information, producer information or event registration payment data had been compromised.
The incident originated through Oracle PeopleSoft, which the NAIC primarily uses for internal financial reporting. Investigators determined the attackers obtained temporary access to certain data storage areas after exploiting the previously unknown vulnerability. The organisation blocked the access route, remediated the affected systems and introduced additional security measures.
The investigation found that the attackers accessed publicly available statutory financial reporting information and credit rating agency data related to insurer investment ratings. The incident did not expose rating agency investment rationale reports.
The threat actors claimed they had obtained technology supporting the System for Electronic Rate and Form Filing, Online Premium Tax for Insurance, Uniform Certificate Authority Application, Enterprise Data Platform and Regulatory Data Collection.
External cybersecurity experts confirmed the attackers did not obtain information from those systems and did not compromise the regulatory reporting platforms.
The investigation also confirmed that the National Insurance Producer Registry, TeamMate and State Based Systems were not affected by the incident.
Incident Background
- Unauthorized access to a portion of the NAIC’s environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas. The ability to gain this temporary access has been blocked and remediated.
- The incident was promptly contained following detection, and the NAIC engaged outside counsel and cybersecurity experts. FBI coordination is underway.
- The incident resulted from a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, otherwise known as a “zero-day vulnerability,” which affected multiple organizations. The NAIC uses PeopleSoft primarily for internal financial reporting purposes.
- Based on our investigation with outside cybersecurity experts and what we know today, we do not believe the group responsible has the amount or scope of data it has claimed, and as of this writing, we have no confirmation that data from our environment has been published or released.
The NAIC said operations have returned to normal except for two temporary disruptions. Several credit rating agencies paused their data feeds while the organisation provides independent security assurances before investment designation services resume. Online invoice payments through Oracle PeopleSoft also remain unavailable.
The association said it will compare any future data release with information from the remediated systems if the attackers publish files they claim to have stolen. The review process is expected to continue for several months as investigators complete their analysis.
