A series of cyberattacks linked to a hacking group called Scattered Spider is causing significant disruptions in the U.S. insurance sector. Major insurance companies are shutting down their systems, contacting federal authorities, and preparing for potential operational and reputational damage.
This week, Google’s Threat Intelligence Group reported that several American insurers have experienced breaches that align with the tactics used by Scattered Spider. This group is known for its clever social engineering techniques and targeted attacks on specific industries.
John Hultquist, a chief analyst at Google’s cyber threat unit, stated, “We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert.”
Scattered Spider, also known as UNC3944, is suspected to be behind recent incidents affecting Erie Insurance and Philadelphia Insurance Companies. Both companies reported unauthorized access to their networks in the past two weeks.
Philadelphia Insurance, part of Tokio Marine, revealed on June 9 that it had disconnected key systems after discovering the breach. The company is currently working to restore its email, phone lines, and digital services, bringing staff back online gradually. They are collaborating with law enforcement and cybersecurity experts to address the situation.
Just two days earlier, Erie Insurance, one of the top homeowners insurers in the U.S., reported a similar incident. While the company has not disclosed the details of the attack, it activated its internal response protocols and sought external cybersecurity assistance. Although customers can still process claims via phone and local agents, many digital services remain offline.
Erie Insurance has also filed a regulatory notice confirming an ongoing investigation and has warned customers against sharing sensitive information with unsolicited callers.
Scattered Spider is familiar with the insurance and financial sectors, having previously targeted casinos and cloud service providers. This group is known for using social engineering to manipulate IT staff into granting access, often bypassing security measures like multifactor authentication.
Mandiant, a cybersecurity unit of Google, has observed the group’s evolution from simple scams to more advanced extortion tactics. Charles Carmakal, Mandiant’s chief technology officer, noted that Scattered Spider appears to have shifted its focus to insurers recently.
Experts point out that this group tends to learn from each attack, refining its methods for future breaches. Their recent activity raises concerns about broader risks to cloud infrastructure and the insurance industry’s digital defenses.
The impact of these attacks may extend beyond immediate technical recovery. Erie Insurance is facing a proposed class-action lawsuit claiming that customer data may have been accessed and possibly shared on the dark web due to security failures. The lawsuit seeks damages, legal fees, and credit monitoring for affected customers.
Despite no confirmed data breaches, the lawsuit highlights the increasing legal risks for insurers facing cyber incidents, especially when customer services are disrupted. Rating agencies are closely monitoring the situation, as both Erie and Tokio Marine’s U.S. group hold strong financial ratings. However, widespread cyber events could lead to reevaluations if operational capabilities are impaired.
Both Philadelphia Insurance and Erie Insurance play significant roles in the national insurance landscape, with billions in premiums. Their experiences show that even large, financially stable companies can fall victim to sophisticated cybercriminals.
Cybersecurity experts believe these incidents reveal a larger vulnerability within the insurance sector, particularly in customer service and IT support areas that can be exploited by social engineers. Analysts warn that the industry must brace for more frequent and targeted attacks, along with the financial consequences of data privacy litigation and regulatory scrutiny.
Hultquist emphasized the need for companies to reassess their access policies and remain vigilant against impersonation tactics that use publicly available employee information.