Scattered Spider Strikes: Why Insurance Companies Are Suddenly in the Crosshairs

Introduction

In a troubling development for the insurance industry, a hacking group known as Scattered Spider has launched a series of cyberattacks against major U.S. insurance providers. Unlike traditional ransomware gangs that rely on malicious software, this group exploits people—tricking employees into giving them access through clever social engineering tactics.

The result? Sensitive customer data may have been exposed, services were disrupted, and companies are left scrambling to respond. Here’s what happened, why it matters, and what can be done to protect against similar attacks in the future.

Who Is Scattered Spider?

Scattered Spider, also known as UNC3944, is a loosely organized hacking group believed to be composed primarily of young English-speaking members based in the U.S. and U.K. They have made a name for themselves by targeting large, high-profile companies in industries such as gaming, telecommunications, and retail.

What sets them apart is their method. Rather than exploiting software vulnerabilities, Scattered Spider relies on social engineering—posing as employees to gain trust from help desks and support teams. Once they’re in, they use legitimate tools and credentials to move through systems largely undetected.

What Happened in June 2025

Between June 7 and June 12, three major insurance companies were targeted in quick succession: Erie Insurance, Philadelphia Insurance, and Aflac.

Erie Insurance reported a disruption to its network operations. While no ransomware was deployed, the company took systems offline to investigate and contain the incident.

Philadelphia Insurance faced outages in its phone systems, email, and customer portals. The company confirmed unauthorized access but said no sensitive customer data was stolen—though investigations are ongoing.

Aflac disclosed that a breach had occurred, resulting in unauthorized access to customer information, including Social Security numbers and claims data. While the attack was contained quickly and no ransom was demanded, the exposure of such data raises serious privacy concerns.

This cluster of attacks suggests a coordinated effort and marks a clear escalation in Scattered Spider’s focus.

How the Attacks Work

Scattered Spider’s techniques rely heavily on manipulating people, not machines. They typically begin by gathering information on a company’s employees—names, titles, and contact details—often using public sources or stolen credentials from prior breaches.

Then they initiate contact, usually by calling the help desk and pretending to be an employee in distress. By sounding credible and urgent, they can often persuade staff to reset passwords or bypass multi-factor authentication (MFA) protocols.

In some cases, they use what's known as "MFA fatigue"—flooding an employee with login requests until they finally approve one out of frustration or confusion.

Once inside, they use real employee accounts and internal tools to navigate systems, download data, or prepare ransomware attacks. Because they operate using legitimate credentials, detecting them can be extremely difficult without strong behavioral monitoring in place.

Why Insurance Companies?

Insurance firms are an appealing target for several reasons. First, they hold vast amounts of sensitive data, including health records, financial information, and identification details like Social Security numbers. This type of information is highly valuable on the black market.

Second, these companies often serve as third-party assessors of cybersecurity risks for others, which can give attackers insights into potential vulnerabilities elsewhere.

Lastly, disrupting an insurer’s operations has a wide-reaching impact—delaying claims, straining customer support, and eroding trust—which gives attackers leverage, even in the absence of a ransomware demand.

The Impact

For customers, the fallout can include identity theft, fraudulent claims, and a loss of confidence in how their information is handled.

For companies, these attacks bring service disruptions, reputational damage, and potential legal and regulatory consequences. Organizations may face lawsuits, regulatory fines, and increased scrutiny from government agencies.

Even when no ransom is paid, the cost of incident response, forensic investigations, and rebuilding public trust can be substantial.

How Companies Can Defend Themselves

There is no single solution to prevent these kinds of attacks, but a layered approach significantly reduces risk. Companies should:

• Strengthen help desk protocols by requiring multiple, independent identity verifications before resetting passwords or modifying access rights.
• Replace push-based MFA systems with phishing-resistant alternatives such as security keys or biometrics.
• Continuously train employees to recognize and respond to social engineering attempts.
• Monitor authenticated user activity for unusual behavior, such as access during odd hours or large data transfers.
• Maintain and test an incident response plan that includes input from cybersecurity experts and legal counsel.

By making it harder for attackers to manipulate people and by quickly detecting suspicious behavior, organizations can reduce both the likelihood and impact of a successful breach.

Conclusion

The recent attacks against insurance companies by Scattered Spider are a stark reminder that cybersecurity threats are evolving. This group doesn’t rely on sophisticated malware or brute-force hacking—instead, they exploit trust, communication, and human error.

As attackers shift focus to industries rich in personal data, it’s essential for organizations to adapt their defenses accordingly. That means going beyond firewalls and antivirus software, and investing in people, processes, and proactive detection. It's important to remember that these attacks can happen to any company at any time, if your company has concerns about how these attacks could affect operations TechHorizon Consulting can help. We can provide tools like real time network monitoring that stop these attacks in their tracks. If this interests you or your company please visit our "Contact Us" page.