The US National Association of Insurance Commissioners (NAIC) has suffered a security breach that has exposed US citizens’ credit rating data.

The breach was detected on June 11 and the non-profit association for the US federal insurance system disclosed it to the public on June 17.

In its latest update, posted on June 26, the NAIC confirmed that an unauthorized actor gained access to “a portion” of its environment through the exploitation of a zero-day vulnerability in Oracle PeopleSoft, which NAIC uses for internal financial reporting purposes.

The incident was the result of “a broad campaign to exploit a vulnerability in PeopleSoft that was unknown to the developer or software users at the time, which affected multiple organizations,” the NAIC added.

NAIC Confirms Data Affected and Unaffected by the Breach

Once they entered the NAIC’s PeopleSoft environment, the attacker obtained information needed to gain temporary access to certain data storage areas.

They then published some of the data accessed.

Based on the NAIC’s preliminary findings, these include:

• Statutory financial reporting information that was already publicly available through state websites like InsData or resellers
• Credit rating agency data, including rating determinations of insurer investments
• “Potentially” additional storage data (e.g. routine technical information, such as outdated logs or configuration information)

The NAIC said that some credit rating agencies have paused their data feeds following the incident, leading the association to temporarily suspend assigning designations to insurer investments.

“Insurers should monitor [Automated Valuation Service Plus] AVS+ for any updates,” said the NAIC.

Users have been notified of critical data that was not compromised by the attacker:

• Personal information of US insurance system users and employees
• Payment and financial account information, including credit card or banking information
• Rating agency investment rationale reports
• Information on any US state insurance departments’ systems
• Information linked to the National Insurance Producer Registry (NIPR) or the Teammate software provider
• Some insurance processes data, such as electronic funds transfer, risk-based capital data, policyholder information, producer data and event registration payment information

Additionally, the NAIC denied the attacker’s claims that they gained access to information linked to technology provided by the NAIC, including the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP) and Regulatory Data Collection (RDC).

“Outside cybersecurity experts confirmed the unauthorized party did not take this information, nor compromised these regulatory reporting systems,” the NAIC stated.

NAIC Operations Almost Fully Back to Normal

In its update, the NAIC said it “promptly” contained the breach following detection and blocked the attacker’s access to its systems.

It also engaged outside counsel and cybersecurity experts, who have helped taking additional steps to strengthen its defenses.

“FBI coordination is underway,” the NAIC also noted.

Finally, the association confirmed that its operations have returned to normal with the exception of online invoice payment via PeopleSoft, which is still unavailable.

“We are meeting with credit rating providers and have provided third-party assurances that our systems are secure and the NAIC designation process can resume,” said the NAIC.