The US National Association of Insurance Commissioners (NAIC) has recently faced a significant security breach that has put sensitive credit rating data pertaining to American citizens at risk. This alarming incident was first detected on June 11, and the NAIC, a non-profit organization that oversees the federal insurance system, made a public announcement about the breach on June 17.
In its official update released on June 26, the NAIC confirmed that unauthorized access was gained to “a portion” of its internal environment through the exploitation of a zero-day vulnerability found in Oracle PeopleSoft. This software is leveraged by the NAIC for critical internal financial reporting. The breach was not an isolated incident; the organization noted that it was part of a broader campaign affecting multiple organizations. This exploitation targeted a vulnerability that was unknown to both the developer as well as its users at the time it was exploited.
Upon breaching the NAIC’s PeopleSoft environment, the attacker managed to secure information that allowed temporary access to certain data storage areas. Subsequently, some of the accessed data was published, which raised further concerns about the extent of the breach.
According to preliminary findings from the NAIC, several types of information were affected by the breach. This included statutory financial reporting information that was already publicly accessible through various state websites, such as InsData or through data resellers. Additionally, sensitive credit rating agency data that involves the rating determinations of insurer investments was compromised. Moreover, the NAIC mentioned the possibility of additional data being accessed, which may consist of routine technical information—such as outdated logs or configuration details—that is typically not of high sensitivity.
Following the security incident, some credit rating agencies decided to halt their data feeds, prompting the NAIC to temporarily suspend the assignment of designations related to insurer investments. The NAIC advised insurers to monitor the Automated Valuation Service Plus (AVS+) platform for any updates concerning the situation.
On a positive note, users were notified that critical data remained intact and was not compromised during the attack. This included:
– Personal information pertaining to US insurance system users and employees.
– Payment and financial account information including credit card and banking details.
– Rating agency investment rationale reports.
– Any information associated with US state insurance departments.
– Data connected to the National Insurance Producer Registry (NIPR) or the Teammate software provider.
– Certain insurance process data, such as electronic funds transfer, risk-based capital data, policyholder data, producer information, and event registration payment data.
Furthermore, the NAIC refuted claims made by the attacker regarding access to sensitive technology-related information within their systems. This included critical regulatory tools such as the System for Electronic Rate and Form Filing (SERFF), Online Premium Tax for Insurance (OPTins), Uniform Certificate Authority Application (UCAA), Enterprise Data Platform (EDP), and Regulatory Data Collection (RDC). The NAIC asserted that independent cybersecurity experts confirmed that the unauthorized party did not extract this information or compromise these essential regulatory systems.
As for the operational impact following the breach, the NAIC reported that it acted swiftly to contain the situation. They promptly blocked the attacker’s access and enlisted the assistance of outside legal counsel and cybersecurity experts, who have implemented additional measures to bolster security defenses. Coordination with the FBI regarding the incident is reportedly underway.
The NAIC further stated that its operations are nearly fully restored to normalcy. However, it acknowledged that online invoice payment through PeopleSoft remains unavailable at present. The organization is actively engaging with credit rating providers, providing third-party assurance that their systems are secure, and preparations are underway for the resumption of the NAIC designation process.
The recent breach exemplifies the evolving threats in cybersecurity and underscores the importance of robust security measures to protect sensitive information, particularly in organizations that handle financial data related to millions of citizens. The NAIC’s response demonstrates a commitment to transparency and remediation in the wake of such incidents, ensuring that stakeholders remain informed and vigilant.