A string of cyberattacks believed to be linked to the threat actor known as Scattered Spider is sending tremors through the U.S. insurance industry, forcing major carriers to shut down systems, contact federal authorities, and brace for operational and reputational fallout.
Google’s Threat Intelligence Group confirmed this week that several American insurers have suffered breaches exhibiting patterns consistent with the tactics of Scattered Spider, a loosely organized but highly effective hacking collective known for its social engineering acumen and sector-specific targeting.
“We are now seeing incidents in the insurance industry,” said John Hultquist, chief analyst at Google’s cyber threat unit. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert.”
Scattered Spider, which has also operated under the designation UNC3944, is thought to be behind the recent disruptions at Erie Insurance and Philadelphia Insurance Companies, both of which reported network intrusions within the past two weeks.
Philadelphia Insurance, a unit of Tokio Marine, disclosed on June 9 that it had disconnected key systems following the discovery of unauthorized access. The company’s email, phone lines, and digital services remain affected, with staff reportedly being brought back online in stages. In a public statement, the insurer acknowledged the seriousness of the situation and said it is working “around the clock” to restore operations while collaborating with law enforcement and forensic experts.
Erie Insurance, headquartered in Pennsylvania and ranked among the top 15 U.S. homeowners insurers, reported a similar event two days earlier, on June 7. The company has not confirmed the nature of the attack, but said it had triggered its internal response protocols and engaged outside cybersecurity assistance. Its systems also remain partially offline.
While Erie continues to process claims via phone and local agents, digital services such as customer account portals have been suspended. Erie noted that the recovery process is “complex and takes time,” but maintained that service access is gradually being restored.
A regulatory filing by Erie on June 11 confirmed that an investigation is ongoing. The company has advised customers not to share sensitive information with unsolicited callers or messages.
Scattered Spider is no stranger to the insurance or financial sectors. In recent years, the group has been associated with attacks on casinos, cloud service providers, and other high-profile targets, including MGM Resorts and Caesars Entertainment. Its hallmarks include the use of social engineering to manipulate internal IT staff into granting access, often circumventing multifactor authentication controls.
Mandiant, Google’s cybersecurity unit, has tracked the group’s evolution from SIM-swap scams and phishing to advanced, multi-layered extortion campaigns. Charles Carmakal, Mandiant’s chief technology officer, said the group appears to have begun targeting insurers specifically in the past two weeks.
Researchers note that Scattered Spider tends to move methodically through industries, leveraging what it learns from one breach to improve its tactics in the next. The group has also been linked to attacks on cloud infrastructure providers, raising broader concerns about systemic risk exposure.
The fallout for victims may not be limited to technological recovery. Erie Insurance is now facing a proposed class-action lawsuit, filed in federal court, alleging that customer data was accessed and possibly distributed on the dark web due to alleged security lapses. The plaintiff is seeking damages, legal fees, and credit monitoring for affected individuals.
Despite the absence of confirmed data exfiltration, the case underscores the increasing legal peril facing insurers hit by cyber incidents—especially when customer-facing operations are interrupted.
Rating agencies are monitoring the situation closely. Both Erie and Tokio Marine’s U.S. group hold high financial strength ratings from A.M. Best, though widespread cyber events have in the past triggered reevaluations when operational capabilities are impaired or legal risks mount.
Philadelphia Insurance, which wrote nearly US$1.7 billion in direct P&C premiums last year, and Erie, with over US$3.3 billion in homeowners premium, are both deeply embedded in the national insurance infrastructure. Their exposure illustrates how even large, well-capitalized carriers can fall prey to sophisticated actors operating in loosely affiliated, global cybercriminal networks.
Cybersecurity professionals say the recent wave of insurance-related incidents reflects a broader vulnerability in the sector’s digital defenses—especially in front-line environments like customer service centers and IT help desks, which can be manipulated by well-practiced social engineers.
Analysts warn that the insurance industry must prepare for more frequent and targeted attacks, as well as the financial implications that come with data privacy litigation, regulatory scrutiny, and potential reputational damage.
Hultquist of Google urged companies to revisit their internal access policies and to be particularly wary of impersonation tactics that rely on publicly available employee data, often harvested from professional networking platforms.
