Erie Indemnity likely first ransomware attack to hit insurance sector as M&S hackers pivot, security expert warns

Last updated: 18 June 2025
Erie Indemnity
Image by T. Schneider | Shutterstock

Scattered Spider, the ransomware gang suspected of carrying out the recent marathon of cyberattacks on the UK retail sector, has now set its sights on the insurance industry. The US-based Erie Indemnity is likely one of the first victims to take the hit. One security expert breaks it down for Cybernews.

Key takeaways:
  • Erie Indemnity, the 13th largest auto insurer in the US, is still struggling to restore systems after a cyber incident knocked its network offline more than a week ago.
  • Erie is likely one of the first insurance companies to be targeted since M&S hackers Scattered Spider switched its focus from retail to the insurance industry, insiders say.
  • One security expert tells Cybernews how insurance companies can best protect themselves from Scattered Spider's infamous IT help desk phishing attacks.

The cyber incident, announced by the Erie, Pennsylvania-headquartered insurance company on June 8th, has left the company’s IT infrastructure on life support, with loss of online payments processing, email access for employees, and most other customer-facing website services.

ADVERTISEMENT

The suspected ransomware attack has potentially impacted seven million policyholders and the company's stable of more than 13,000 insurance agents and staff.

In a statement set to Cybernews late Tuesday, Erie Insurance said it “contained the issue” and now “have control of our systems," although some functions, including its payments portal, are still unavailable when we checked the website.

More importantly the company said it has not seen any "evidence of ransomware and there is no indication of ongoing threat actor activity,” however, that could change as the investigation and recovery is still ongoing.

Founded in 1925, Erie has offices in 12 states and the District of Columbia, including Illinois, Indiana, Kentucky, Maryland, New York, North Carolina, Ohio, Tennessee, Virginia, West Virginia, Wisconsin, as well as locations in the major Pennsylvania cities of Philadelphia and Pittsburgh.

“Unfortunately, incidents like this are becoming increasingly sophisticated and can impact even the most well-protected organizations," the spokesperson told Cybernews, adding that it has since “implemented additional security measures to further strengthen our systems.”

Complex recovey

On Saturday, Erie had said it was “making strong and steady progress…. our teams continue working around the clock to restore access for customers, agents, and employees,” according to an update posted on its website over the weekend.

“We’re confident in our actions, but this work is complex and takes time,” the insurance company said, noting that it had brought in outside cybersecurity experts to assist with remediation and its ongoing investigation.

“While the network outage and protective measures we initiated take place, our agents, claims, and care teams will continue to support our customers,” it said, adding that all auto, life, home, and business insurance policies will remain in full force.

ADVERTISEMENT
Erie Insurance cyber incident website notice
Erieinsurance.com. Image by Cybernews.

Erie Indemnity is ranked as the 12th largest homeowners insurer and 13th largest automobile insurer in the US, according to its LinkedIn page, and was named by Forbes as one of America’s Best Insurance Companies in 2025.

On its LinkedIn and Facebook pages, the company issued an “Important Reminder” to customers and policyholders, both active and inactive, that “During this outage, Erie Insurance will not call or email customers to request payments.”

“As is best practice, do not click any links from unknown sources or provide your personal information by phone or email, it said, asking customers to “contact their agents directly” by phone with questions.

Insurance sector on high alert

With an annual revenue of $13.2 billion, Erie Insurance has been listed on the Fortune 500 list for the past 22 years, and operates its own corporate capital investment division, Erie Strategic Ventures, making it a lucrative target for ransomware groups.

“Scattered Spider, like many cybercrime groups, goes where the money is," said Kasey Best, Director of Threat Intelligence at Silent Push, a global threat monitoring and cybersecurity solutions firm based in Virginia, and a Scattered Spider expert.

Although Best noted there's no proof (yet) that Scattered Spider is definitively responsible for the Erie attack, he did point out “it is not unusual for them to target large organizations.”

ADVERTISEMENT

Earlier this week, John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), told Bleeping Computer that GTIG had become “aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity,” specifically mentioning incidents in the insurance industry.

Hultquist further warned the outlet that “because the group approaches one sector at a time, ‘the insurance industry should be on high alert.’” The outlet additionally named the Philadelphia Insurance Companies (PHLY) as a recent victim of unauthorized access, taking place within days of the attack on Erie Insurance.

Erie Insurance cyber incident sorry notice
Erieinsurance.com. Image by Cybernews.

Neither Scattered Spider nor any other hacker group has come forward to claim the attack so far, although Scattered Spider often patiently waits for a media frenzy to be in full swing before claiming its victims.

How can insurance companies prepare?

On a positive note, Kasey says that insurance companies can take advantage of the now-known tactics, techniques, and procedures (TTP) used in these previous attacks to better protect themselves.

Scattered Spider is known for using sophisticated phishing attacks to gain initial access to a victim’s network by tricking employees to give up usernames, login credentials, and multi-factor authentication (MFA) tokens.

“Insurance companies should prepare their help desk and IT teams to be targeted by potentially aggressive and well-planned social engineering attacks,” Kasey said.

This also means that companies should be in “close coordination” wth their IT vendors and/or third-party security vendors, to ensure best practices are being followed, he said.

For example, noting that ScatteredSpider in February was observed using a dynamic DNS domain in their Klaviyo targeting, as detailed in the intelligence blog, Kasey points out that it's not only important for organizations to understand how these groups operate, but also how they manage their infrastructure.

Ernestas Naprys Gintaras Radauskas jurgita Izabelė Pukėnaitė
Get our latest stories today on Google News
Google News Follow us
ADVERTISEMENT

Another general preemptive defense posture Kasey recommends would be for organizations to focus on “hardening” IT help desks via more employee training.

Companies should be “introducing manual password resets, the use of FIDO keys for authentication, and enforcing the use of restricted VPN / IP space for access to core systems,” he said.

“Scattered Spider often aims for the weakest link in the IT chain, so it is imperative that every "link" in the chain be appropriately strengthened,” Kasey said.

Scattered Spider does not discriminate

Scattered Spider, believed to be working with the DragonForce ransomware group, has been connected to a spate of attacks on the UK/US retail sector, mainly due to the tactics used for initial entry and the DragonForce ransomware variant deployed on its victims.

Silent Push has been tracking at least "five unique Scattered Spider phishing kits, which have been used since at least 2023," according to Kasey.

The month-long attack on British retailer Marks & Spencer – said to have resulted from a third-party vendor phishing attack by Scattered Spider – took place Easter weekend and has cost the company over $400 million in damages.

Attacks on Harrods and Co-op quickly followed those on M&S, leaving the UK retail sector reeling from systemwide shutdowns, customer data being stolen, thousands of cancelled online orders, and empty shelves across hundreds of stores.

Other retailers suffering breaches connected to the two groups last month include the London luxury department store Harrods, Victoria's Secret, Dior, VF Corp's The North Face, and Adidas.

Furthermore, Silent Push's blog lists a slew of name brands targeted by the group in 2025, including Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, Tinder, T-Mobile, and Vodafone.

ADVERTISEMENT
Marks & Spencer ransomware attack
Image by Cybernews

As for singling out the insurance sector, Kasey says his threat hunting team, which actively tracks Scattered Spider’s online presence, warns that the group is still actively seeking targets.

“It is important to recognize that just because targeting has traditionally been in one sector does not mean other sectors are safe,” Kasey said, referring to a recently published Soft Push profile on the ransomware group.

“If your organization is assessed to have the income/capital available to pay a large ransom, then your organizaion is a potential target, “ he said.

Share
Post
Share
Share
Share
More from Cybernews
Most cyber incidents stem from the same 10% of employees, study finds
Popular fitness app Fitify exposes 138K user progress photos
California mulls banning AI companions like Grok's "waifu"
WeTransfer changes its terms again after being suspected of fishy use of content
Former US soldier pleads guilty to hacking telecom companies
“I know what normal looks like:” Microsoft trains AI to scan breasts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked