The National Association of Insurance Commissioners (NAIC) said some credit ratings agencies are pausing data feeds after its systems were compromised in connection with a zero-day vulnerability earlier this month at Oracle PeopleSoft. 

NAIC confirmed the threat actors posted exfiltrated data on a leak site. The information includes financial and ratings information linked to insurer investments. Some of the stolen data had been publicly available on state insurance sites, through resellers or other insurance data sites.

NAIC said it has found no evidence that financial account data or personally identifiable information was lost. In addition, it said its regulatory filing systems are secure. 

The association provides data, analysis and other expertise to state insurance regulators across the U.S. This critical information is used to help regulate the insurance industry. 

Kroll Bond Rating Agency on Friday said it suspended data feeds sent to NAIC until the incident is resolved in a satisfactory manner. 

Fitch Ratings confirmed through a spokesperson that certain data it previously submitted to NAIC was impacted by the breach. Fitch Ratings said its own systems and business operations were not affected by the attack. 

As previously reported, the ShinyHunters threat group was linked to exploitation of a critical flaw in Oracle PeopleSoft. Officials at Mandiant, the incident response arm of Google Cloud, notified more than 100 organizations that they may have been impacted by the exploitation activity. 

About two-thirds of the organizations hit by the zero-day flaw were educational organizations. 

Hackers exploited a critical remote code execution vulnerability, tracked as CVE-2026-35273, in the software suite’s Environment Management component between May 27 and June 9. Oracle released an advisory earlier this month about the vulnerability, which is located in certain versions of Oracle PeopleSoft PeopleTools.