The global insurance industry is facing a growing cyber threat as the notorious hacker collective known as Scattered Spider turns its sights on financial and underwriting firms, following a disruptive spree targeting retailers in recent months.
Cybersecurity experts from Google’s Threat Intelligence Group have confirmed a series of intrusions into US insurance companies, warning that the sector may be the latest focal point for the group’s highly targeted campaigns. The attacks bear strong similarities to those used in previous Scattered Spider operations, which rely heavily on social engineering tactics to compromise corporate networks.
“We are now seeing incidents in the insurance industry,” said John Hultquist, chief analyst with Google’s cyber threat unit. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert.”
Read more: Major European insurer hit by cyber attack
Scattered Spider, also tracked by security analysts as UNC3944, is characterised by its ability to convincingly impersonate employees and exploit human vulnerabilities within call centres and IT support teams. These schemes are designed to circumvent multifactor authentication and other controls by deceiving staff into granting privileged access.
Philadelphia Insurance Companies (PHLY) and Erie Insurance have emerged as two of the most high-profile victims in the latest wave of attacks.
PHLY, a well-known commercial insurer, was hit by a major ransomware event beginning June 9. According to reports first obtained by Cyber Risk Insurer, the incident knocked out internal systems, including email, telephony, and key customer-facing platforms. The company has since confirmed that it “proactively disconnected” compromised infrastructure and is now working to restore operations. Staff are gradually being brought back online using hardwired connections, with password resets and identity verification a core part of the recovery effort.
Erie Insurance, meanwhile, disclosed in a US regulatory filing that it detected suspicious network activity on June 7. The Fortune 500 firm said it immediately launched its incident response procedures and is collaborating with law enforcement and forensic specialists. While the identity of the attacker has not been officially confirmed, the timing and nature of the breach point to Scattered Spider as the likely culprit.
Erie’s digital operations remain severely impacted, with customer portals inaccessible and critical communications curtailed. A company status page advises policyholders to avoid unsolicited contacts and refrain from disclosing personal data via phone or email.
Compounding the crisis, Erie Insurance is now facing a proposed class action in federal court. The suit alleges that the company failed to safeguard customer data, potentially exposing personally identifiable information to hackers and placing individuals at risk of identity theft.
The Illinois-based plaintiff is seeking damages, credit monitoring for three years, and legal costs, contending that Erie’s security posture was inadequate given the evolving threat landscape.
Cyber specialists have warned that Scattered Spider’s tactics, which previously crippled US casinos and telecom firms, and giant UK retailers, are well suited to breaching complex organisations like insurers, which rely on distributed service centres and cloud-based infrastructure.
The group is linked to attacks on high-profile targets such as Marks & Spencer, Harrods, Caesars Entertainment, MGM Resorts, and financial heavyweights including PNC and New York Life. Its success hinges on its use of insider-level deception - often leveraging publicly available employee information to build credibility with help desks and IT administrators.
Mandiant, the cybersecurity firm now part of Google Cloud, has issued technical guidance to help firms bolster defences against the group’s signature approaches. Nevertheless, the shift towards insurance companies signals an escalation in Scattered Spider’s campaign of disruption and extortion.
