Between June 7 and June 12, 2025, three of the largest property-casualty and life insurers in the United States — Erie Insurance, Philadelphia Insurance Companies, and Aflac — disclosed near-simultaneous cybersecurity incidents. The cluster, attributed by Mandiant and Google Threat Intelligence Group to operators using Scattered Spider tradecraft, marked an abrupt pivot from the spring 2025 UK retail wave that hit Marks & Spencer, the Co-operative Group, and Harrods. Aflac initially disclosed only that an "unauthorised party" had been blocked from a portion of its US business network and that no ransomware had been deployed. On December 23, 2025, Aflac filed an updated notice confirming that personal data, including health information, of approximately 22.65 million individuals had been stolen, making it one of the largest health-data breaches of the year. The case demonstrates how a focused affiliate cluster can roll through an entire vertical inside 30 days, and why insurance is now a tier-one target. The combination of dense personal data, regulated breach-notification deadlines, and customer claims that involve significant financial value makes insurance an unusually leverageable sector for extortion-motivated operators.
Who is Scattered Spider and how did they get in?
Scattered Spider — tracked variously as UNC3944, Octo Tempest, Star Fraud, Muddled Libra, and 0ktapus — is a loose affiliation of native-English-speaking operators, mostly based in the UK, US, and Canada, with a documented operational pattern: SIM swapping for initial recon, voice-based social engineering of IT helpdesks, MFA fatigue or reset, and rapid pivot to identity-provider compromise. In the June 2025 insurance cluster, public reporting from Mandiant, Recorded Future, and the Identity Theft Resource Center indicates the initial-access vector at each of the three insurers was consistent: phone calls to internal or outsourced IT helpdesks, impersonating an employee with a documented account-recovery scenario, requesting password or MFA factor resets, and pivoting through the Okta or Microsoft Entra identity layer into customer-database systems. Aflac's own statement attributed the campaign to a "sophisticated cybercrime group" without naming Scattered Spider, while Mandiant attributed the cluster to UNC3944 affiliates.
What did the attackers actually access?
Aflac's December 2025 notification listed personal-data exposure for approximately 22.65 million individuals including names, dates of birth, addresses, Social Security numbers, claims information, and protected health information related to insurance claims. Erie Insurance and Philadelphia Insurance Companies issued more limited statements describing network anomalies that triggered protective shutdown of customer-facing systems, with both filing breach notices later in 2025 once forensic review completed. Allianz Life Insurance Company of North America announced in July 2025 that the same Scattered Spider cluster had pivoted into a third-party CRM platform and exfiltrated data on roughly 1.4 million customers, financial professionals, and employees. The insurance-cluster total of confirmed exposure now exceeds 25 million people across the named events.
How long were they inside?
Aflac stated it detected and contained the intrusion "within hours" on June 12, 2025, blocking the attacker before encryption or further lateral movement. Erie Insurance and Philadelphia Insurance disclosed similarly compressed detection timelines. The Scattered Spider pattern of June 2025 looked tactically faster than the spring UK retail cluster: insurers' shorter dwell times suggest that the helpdesk-callback hardening lessons from M&S and Co-op had partially propagated, with insurers detecting unusual identity-provider activity within hours rather than days. Detection at hours, however, did not prevent data exfiltration; staged exfil during the initial-access window was sufficient for the 22.6 million record total.
What did existing controls miss?
Three gaps recur across the cluster. First, helpdesk identity-proofing remained vulnerable to voice impersonation. Despite the public lessons from MGM Resorts 2023, Caesars 2023, and M&S 2025, multiple insurance helpdesks still permitted MFA factor reset based on knowledge-based authentication or short-lived ticket-portal sessions. Second, identity-provider tier-zero segmentation was insufficient: once Scattered Spider obtained a single privileged Okta or Entra session, lateral movement into customer-database and claims-system access required no additional MFA challenge. Third, the third-party CRM angle that appeared in the Allianz Life incident exposed the same pattern Scattered Spider used at Snowflake in 2024 — a connected SaaS platform held a copy of the regulated dataset, with weaker access controls than the principal's primary stack.
# Identity-provider hardening baseline for insurance carriers
identity_provider_baseline:
authentication:
phishing_resistant_factors_only: required
sms_otp_disabled: true
push_notification_with_number_match_required: true
legacy_protocol_basic_auth_disabled: true
helpdesk_resets:
verified_callback_to_hr_number: required
manager_approval_for_mfa_reset: required
cooldown_hours_password_to_mfa_reset: 24
cannot_reset_privileged_admin_factors_via_helpdesk: true
session_management:
privileged_session_lifetime_minutes_max: 60
step_up_mfa_for_sensitive_apps: required
risky_signin_block_not_challenge: true
monitoring:
new_factor_enrolment_alert_to_user_email_sms: required
impossible_travel_block_threshold_km_per_hour: 800
privileged_role_assignment_alert: high
external_integrations:
third_party_crm_oauth_token_lifetime_days_max: 30
quarterly_token_inventory_review: required
What should insurance defenders do now?
Six steps. First, finish the helpdesk hardening that retail learned the hard way: verified callback, manager approval, video identity proofing for privileged factor resets, 24-hour cooldown between password and MFA changes. Second, enforce phishing-resistant FIDO2 across every privileged role and remove SMS OTP from any factor list that touches identity-provider administration. Third, implement step-up MFA on access to claims, member-record, and underwriting systems even from authenticated sessions. Fourth, inventory every third-party CRM, agent portal, and claims-vendor OAuth integration; rotate refresh tokens older than 30 days and apply the same monitoring fidelity to those integrations that you apply to the identity provider itself. Fifth, exercise a Scattered Spider tabletop with insurance-specific scenarios: helpdesk phone calls during open-enrolment surges, claims-system lateral movement, agent-portal token theft. Sixth, share IOCs and TTPs through the FS-ISAC Cyber Intelligence Sharing Center and the National Council of Insurance Legislators security working group so that an attack at any peer insurer surfaces an alert across the sector within minutes.
What regulatory follow-on has the campaign produced?
The June 2025 insurance cluster triggered immediate regulatory attention across multiple jurisdictions. The New York Department of Financial Services, under 23 NYCRR 500, opened inquiries with the affected carriers and reminded the industry that material cyber-incidents must be reported within 72 hours under the November 2023 Part 500 amendments. State insurance regulators following the NAIC Insurance Data Security Model Law in roughly half of US states issued similar notices. The Cybersecurity and Infrastructure Security Agency added the campaign to its 2025 Advisory portfolio with TTP details aligned to UNC3944 and DragonForce affiliate tradecraft. Aflac's December 23 follow-up notification at 22.65 million people exposed the company to class-action litigation under multiple state privacy statutes and federal claims; Allianz Life faced parallel actions in Minnesota and federal court. The pattern reinforced what financial-services regulators have warned about for two years: helpdesk identity proofing, third-party CRM controls, and identity-provider tier-zero hardening are now table-stakes expectations. By the close of 2025 every Top 50 US insurer was either remediating or auditing their helpdesk workflows in anticipation of the next Scattered Spider campaign.
How Safeguard Helps
Safeguard inventories every identity provider, helpdesk vendor, and connected SaaS integration that handles policyholder or claims data, and continuously scores each against the CISA Secure by Design pledge, NAIC Insurance Data Security Model Law expectations, and contractual breach-notification SLAs. Griffin AI reachability analysis surfaces which OAuth integrations hold long-lived refresh tokens, which helpdesk vendors retain MFA-reset authority, and which third-party CRMs store claims content that exceeds the data-minimisation baseline. TPRM workflows require helpdesk and identity-provider vendors to attest to FIDO2 enforcement and verified-callback procedures, and continuously verify that attestations match live configuration. Policy gates block new SaaS integrations that fall below the baseline, and ingest Scattered Spider, DragonForce, and UNC3944 IOCs continuously so that a phone call at one carrier surfaces an alert across every connected helpdesk in your environment within minutes.