NAIC 3.1TB Leak Online June 29, 2026: NC SMB Insurance Plan

TL;DR: On June 29, 2026, the National Association of Insurance Commissioners (NAIC) confirmed that 3.1 terabytes of data stolen in the June 11, 2026 ShinyHunters breach — which exploited PeopleSoft zero-day CVE-2026-35273 — has been published on a Tor-hosted forum (Insurance Journal June 29, 2026, Claims Journal coverage, DeXpose breach analysis). The stolen data spans INSData, SERFF, OPTINS, UCAA, EDP, RDC, and Vision credit feeds. NAIC confirmed the exposure was statutory financial reporting and rating-agency data — not PII, payment data, or banking information — but the cascade matters: NC insurance brokers, agencies, and SMBs whose carriers, MGAs, or rating-agency relationships flowed through NAIC systems are now in scope for vendor-risk follow-on, even though they were never directly breached.

Key takeaway: A breach two layers up the supply chain still lands on your desk. When NAIC data goes public, the impact path runs NAIC → carrier → MGA → broker → policyholder. NC insurance brokers and the NC SMBs they serve need a documented fourth-party-risk response that does not depend on the breached organization sending you a letter — because in supply-chain breaches, the letter often never arrives.

Need help building a vendor-and-fourth-party risk response for your NC insurance brokerage or NC SMB? Preferred Data Corporation runs managed cybersecurity, incident response, and vendor risk programs for NC small businesses. Call (336) 886-3282 or request a vendor-risk review.

What did NAIC confirm on June 29, 2026?

That data exfiltrated in the June 11 ShinyHunters breach has been published online. Per the Insurance Journal June 29, 2026 update, the official NAIC security incident update page, the Think Advisor coverage, and the Claim Depot breach summary:

• Volume: 3.1 terabytes claimed by ShinyHunters.
• Systems implicated: INSData, Vision credit feeds, SERFF (System for Electronic Rate and Form Filing), OPTINS (Online Premium Tax for Insurance), UCAA (Uniform Certificate of Authority Application), EDP, and RDC.
• What NAIC says was NOT accessed: PII, payment data, credit card, or banking information.
• What NAIC says WAS accessed: Statutory financial reporting information and credit rating agency data — including rating determinations on insurer investments.
• Operational impact: Credit rating agencies paused their data feeds. NAIC has temporarily suspended assigning designations to insurer investments.
• Vulnerability: CVE-2026-35273, a critical unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 — patched in an Oracle out-of-band security alert (see our companion PeopleSoft post).
• Threat actor: ShinyHunters, per their forum post claiming responsibility on June 18, 2026.

The June 29 update matters because it transitions the story from "exfiltrated" to "published" — which changes what NC SMBs in the insurance ecosystem need to do.

Why does an NAIC breach affect NC insurance brokers and SMB clients?

Because the insurance supply chain runs through NAIC. Per the Insurance Business Magazine coverage and the QPulse ShinyHunters claim summary, the affected systems are not consumer-facing — they're the rails the industry rides on.

The cascade looks like this:

• Layer 1 (direct victim): NAIC.
• Layer 2 (immediate exposure): Insurance carriers, MGAs, rating agencies whose filings, ratings, and examination data NAIC held.
• Layer 3 (transitive exposure): NC insurance brokers and agencies that distribute those carriers' products.
• Layer 4 (downstream exposure): NC SMB policyholders — manufacturers, professional services firms, contractors — whose carrier choices, rating considerations, and competitive dynamics may be affected by the published data.

Even though no direct PII or customer data was confirmed exfiltrated, the carrier-rating and statutory-financial data now in the public domain affects competitive intelligence, M&A diligence, premium-renewal positioning, and reputational exposure for the entire NC insurance ecosystem.

Quotable definition: Fourth-party risk is the risk that a breach at your vendor's vendor lands on your desk. For NC insurance brokers and NC SMBs that rely on insurance, NAIC is exactly that — a vendor-of-vendors whose breach cascades down three layers.

What is CVE-2026-35273 and how did ShinyHunters use it?

It is an unauthenticated remote code execution (RCE) vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 — the platform NAIC runs on. Per the eciks NAIC breach summary and our companion PeopleSoft zero-day defense post:

• CVSS: 9.8 (Critical).
• Authentication required: None.
• Exploitation timeline: Zero-day at NAIC compromise on June 11, 2026; Oracle out-of-band patch followed; CISA KEV listing followed.
• Threat actor TTPs: Reconnaissance → exploit → web-shell drop → data exfiltration → extortion / data publication.
• Other organizations affected: Multiple per Oracle's broader campaign description.

ShinyHunters specifically operates a data-extortion / data-leak model. Per the EclecticIQ ShinyHunters threat profile, the group is financially motivated and frequently publishes data when extortion fails or terms are not met. The June 29 publication is consistent with their pattern.

What should an NC insurance broker do today?

Six concrete actions that turn "NAIC was breached" into a controlled response. Per the broader vendor-risk-management literature and our vendor-risk-management-in-the-AI-age post:

1. Inventory NAIC-touching systems and data flows. Which of your carrier portals, MGA integrations, rating-feed subscriptions, or compliance tools pull from NAIC? Document them.
2. Confirm carrier statements. Each carrier you appoint with should be issuing a statement about whether the breach affected their filings, rating, or licensing data. Request the statement in writing. Save it to the vendor file.
3. Pull and review your own state-DOI filings and examinations. If your carriers' or MGAs' UCAA, SERFF, or examination data is now public, that affects renewal positioning, M&A diligence, and competitive intelligence. Know what's out there about you and your carrier panel.
4. Refresh your written information security program. The breach at NAIC will be cited in your next E&O renewal and your next FTC Safeguards Rule audit. Document your vendor risk process for NAIC specifically, even though you are not NAIC's direct customer.
5. Monitor for downstream phishing campaigns. Per the broader ShinyHunters playbook, criminals re-package published data into highly targeted phishing aimed at the affected industry. NC insurance brokers should run heightened phishing training in the next 30 days.
6. Tighten your own PeopleSoft / ERP exposure. If you, your carriers, or your back-office vendors run PeopleSoft 8.61 or 8.62, confirm the Oracle out-of-band patch is applied and the post-patch hunt for web-shells is done.

What should an NC SMB policyholder do?

Three actions, even though you are not directly named:

• Ask your broker for a vendor-impact statement. A one-pager from your broker confirming whether your carriers' filings, ratings, or examination data was implicated.
• Update your written incident-response plan vendor-risk section. "What happens when our broker's regulator gets breached" is a real-world tabletop your IR plan should be able to handle.
• Monitor for impersonation phishing. Criminals re-use industry-context data to send "from your carrier" or "from your broker" phishing emails. Train staff specifically on industry-context lures for the next 30 days.

Need help building these workflows into a standing program for your NC SMB? Call (336) 886-3282 or book a vendor-risk review.

How does Preferred Data Corporation help NC SMBs and insurance brokers respond?

PDC has been an NC small business's IT and cybersecurity partner since 1987. We bring four things to the NAIC-cascade response:

• Managed cybersecurity services: Vendor and fourth-party risk programs, written information security programs aligned to the FTC Safeguards Rule, phishing training calibrated to current threat actor campaigns, and 24/7 MDR for the broker's or SMB's own environment.
• Managed IT services: Patching and configuration discipline for ERP and back-office systems — including PeopleSoft hunts when the underlying vulnerability lands in an NC SMB or broker's stack.
• Backup and data protection: Tested, immutable backups that survive a ransomware or extortion attack — including offsite restore drills.
• M&A advisory: Pre-deal cyber due diligence and post-close integration for NC SMBs buying or selling — including review of breach exposure history for the target.

For NC insurance brokers in High Point and the Piedmont Triad scrambling to give carrier statements, NC manufacturers in Greensboro and Winston-Salem revisiting their cyber-insurance posture, and NC professional services firms in Charlotte and Raleigh updating their written ISPs, the NAIC cascade is exactly the kind of fourth-party event that separates a documented vendor-risk program from a paper one.

Ready to make sure your NC SMB or brokerage is ready for the next vendor-of-vendor breach? Call (336) 886-3282 or book a vendor-risk review.

Frequently Asked Questions

Was my personal data exposed in the NAIC breach?

According to NAIC's official statements (NAIC security update page, Insurance Journal coverage), no PII, payment, credit-card, or banking information was accessed. The exposed data was statutory financial reporting and rating-agency data on insurance companies, not individual consumer records.

What is ShinyHunters and why did they target NAIC?

ShinyHunters is a financially motivated data-extortion group with a history of compromising enterprise cloud applications and publishing data when extortion fails. Per the EclecticIQ ShinyHunters profile, the NAIC compromise was part of a broader campaign exploiting CVE-2026-35273 against multiple PeopleSoft customers.

Are NC insurance brokers required to notify clients about the NAIC breach?

Probably not in most cases — the brokers were not the direct victim, and the data published does not appear to include broker-customer PII. Per the FTC Safeguards Rule notification requirement, the trigger is unauthorized acquisition of 500+ unencrypted customer records — which is not the NAIC fact pattern. Brokers should still document their vendor-risk review for examiners and E&O carriers.

Does this affect my cyber insurance premium?

Possibly. Per the broader insurance-market trend toward stricter underwriting, third-party breaches that flow through industry-shared systems are factored into rating models. Carriers will be paying attention to whether brokers and policyholders have documented vendor-risk programs.

What if my back office uses Oracle PeopleSoft directly?

Then CVE-2026-35273 is directly your problem. Per our PeopleSoft zero-day defense post, the Oracle out-of-band patch, post-patch web-shell hunt, and ERP segmentation are non-negotiable.

How long will the NAIC data stay on the dark web?

Indefinitely. Per the general data-leak literature, published breach data is typically mirrored across forums, repositories, and torrents within hours of first publication. Removal is not realistic. The defensive posture has to assume the data is permanently in circulation.

Related Resources

• Managed Cybersecurity Services - Vendor risk, ISP, phishing training, MDR
• Managed IT Services - Patching, configuration discipline, ERP hygiene
• Backup and Data Protection - Immutable, ransomware-resilient backups
• M&A Advisory Services - Cyber due diligence and integration
• Oracle PeopleSoft CVE-2026-35273 Zero-Day NC SMB ERP Defense - Companion patch and hunt guide
• FTC Safeguards Rule 2026 NC SMB Financial Services Defense - Companion notification framework
• Vendor Risk Management in the AI Age - Foundational vendor-risk article
• Contact Preferred Data Corporation - Vendor-risk review for NC insurance brokers and SMBs