---
title: "When Vendors Fail, Everyone Pays"
description: "Key quote: Importantly, there is no current evidence that PII or payment and financial account information was accessed, including credit card or banking information. Why it matters: The supply-chain..."
url: https://kaynemcgladrey.com/blog/when-vendors-fail-everyone-pays/
date: 2026-06-29
modified: 2026-06-29
author: "Kayne"
image: https://kaynemcgladrey.com/wp-content/uploads/2026/06/NAIC-Office.webp
categories: ["Blog"]
type: post
lang: en
---

# When Vendors Fail, Everyone Pays

![Oracle peoplesoft logo](https://kaynemcgladrey.com/wp-content/uploads/2026/06/oracle-peoplesoft-logo.webp)

**Key quote**:

> Importantly, there is no current evidence that PII or payment and financial account information was accessed, including credit card or banking information.

**Why it matters**:

The supply-chain effects from the [PeopleSoft breach](https://content.naic.org/about/security-update) over at the National Association of Insurance Commissioners (the NAIC) are becoming visible. Late Friday, the KRBA (one of the major credit rating agencies) stopped providing their data to the NAIC. According to their [press release](https://www.tmcnet.com/usubmit/2026/06/26/10406763.htm), they’re looking to hear how the NAIC’s implementing additional safeguards, and also they’re not too happy with the 15 day disclosure timeline. Organizations looking for an example of why having a tested incident response plan that includes crisis communications don’t need to look much farther than this.

ShinyHunters dumped 3.1 terabytes onto the dark web, claiming more than 264,000 regulatory filings plus 45,000 files from credit agencies like Moody’s and S&P. While the NAIC insists their core systems weren’t affected, the group posted production AWS infrastructure logs and SQL scripts tied to live environments. That moves the threat beyond stolen documents into actionable blueprints for follow-on attacks against the entire insurance sector.

ShinyHunters’ attack used [CVE-2026-35273](https://nvd.nist.gov/vuln/detail/CVE-2026-35273), a flaw listed in the National Vulnerability Database (NVD) with a 9.8 score out of a possible 10 points. Oracle issued mitigations on June 10, but the NAIC says unauthorized access started on June 11. A one-day window between a vendor providing a warning and attackers starting to exploit it shows just how tight these timelines can get with legacy enterprise software. Mandiant’s confirmed over 100 organizations got hit during this campaign, ranging from Kodak to the University of Nottingham. If your stack runs PeopleSoft right now and you’re *not* running incident response, you might want to set aside some time this week. This also may be a prelude to the second half of the year, which will likely feature an increasing number of AI-sourced zero days.

Investment designations assigned by the NAIC determine how much capital US life insurers must hold against portfolio holdings. In case you’re *not* a finance major, life insurance companies invest your premium money in stocks, bonds, and other assets. They have to keep a cash cushion (the reserve) on hand to make sure they can pay out claims, and the size of the reserve depends on how risky their investments are. The NAIC assigns “designations” (basically safety grades) to those investments, and riskier investments require bigger cushions.

So when those ratings are frozen, insurers lose the ability to optimize their reserve requirements. Critics had been arguing that insurers might not have been holding enough in their reserves, so freezing the designation process just makes an existing problem worse.

This is also part of the larger shift toward data-theft-only attacks that we started to see in 2025, where attackers skip encryption and go straight for public exposure. This model forces victims into public negotiations without ransom leverage, and the NAIC case proves that even government-affiliated bodies aren’t immune to zero-day campaigns targeting common infrastructure. If your organization hasn’t tested its incident response plan, this scenario might make for a great tabletop idea.