NAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall

If you did nothing this week: any internet-reachable Oracle PeopleSoft instance is a live pre-auth foothold — the same zero-day path that put the US National Association of Insurance Commissioners into ShinyHunters' hands, and PeopleSoft is widely deployed across European public administration, higher education and HR/finance back offices. The W25 looking-ahead flagged that ShinyHunters PeopleSoft notifications were still landing and that EU universities were a probable next-named class; NAIC is the fresh high-profile confirmation that the campaign is still acquiring victims.

NAIC — the standard-setting body for all 50 US state insurance regulators — confirmed on 2026-06-26 that an unauthorised party reached its environment on June 11 via an Oracle PeopleSoft vulnerability, then pivoted from PeopleSoft to temporary access to data-storage areas. ShinyHunters claims 3.1 TB exfiltrated (TechRadar, Insurance Journal). The operational tell is the downstream impact NAIC itself disclosed: credit-rating agencies paused their data feeds and NAIC suspended assigning designations to insurer investments — a regulatory-process outage, not just a data-confidentiality event. This is the same PeopleSoft exploitation wave (CVE-2026-35273, the unauthenticated RCE in PeopleTools Environment Management) Google GTIG attributes to UNC6240/ShinyHunters and has been tracking against the education sector — 68% of identified targets were higher-education institutions; see § 8 for the campaign-level status. Treat any externally-reachable PeopleSoft portal (/PSEMHUB/, /PSIGW/HttpListeningConnector) as a hunt target, not a patch-later item. (daily 06-28)