The U.S. insurance sector may have become the next major target for ransomware actors, with Erie Indemnity suspected to be the first victim in a broader campaign led by Scattered Spider. The incident, which disrupted operations across Erie’s IT infrastructure, highlights the group’s apparent pivot away from retail and into new enterprise verticals.
Founded nearly a century ago, Erie Indemnity is a major player in U.S. insurance, serving over seven million policyholders with a network of more than 13,000 agents. But over the past week, the Pennsylvania-based insurer has struggled to bring its systems back online following what appears to be a sophisticated ransomware attack.
Erie Insurance Disrupted by Major Cyberattack, Operations Still Recovering
Erie announced the cyber incident on June 8. Since then, customers have been unable to access core services, including online payments and digital communications. The company confirmed that its teams were “working around the clock” with external cybersecurity specialists to restore full access.
“We’re confident in our actions, but this work is complex and takes time,”
Erie Insurance stated, noting that auto, home, life, and business policies remain active and unaffected by the outage.
The company has posted warnings on its official channels to remind users that Erie is not contacting customers for payments during the outage. Customers were urged not to click links or share sensitive information with unknown sources, and to reach out to agents directly by phone for assistance.
Erieinsurance.com. Image by Cybernews.
Scattered Spider May Be Behind the Attack—but Has Yet to Claim It
While no hacker group has taken responsibility, cybersecurity experts believe the evidence points to Scattered Spider—the same group linked to recent attacks on major UK retailers like Marks & Spencer, Harrods, and Co-op. Those attacks caused widespread operational shutdowns and financial damage estimated in the hundreds of millions.
Kasey Best, Director of Threat Intelligence at Virginia-based Silent Push, says the shift in target industries fits the group’s strategy.
“Scattered Spider, like many cybercrime groups, goes where the money is,”
Best told Cybernews, explaining that large organizations like Erie are prime candidates for attack.
John Hultquist, Chief Analyst at Google’s Threat Intelligence Group (GTIG), confirmed that his team had tracked multiple U.S. intrusions in recent weeks bearing “all the hallmarks of Scattered Spider activity.” He added that the insurance sector should now be on high alert, referencing recent unauthorized access at Philadelphia Insurance Companies shortly after the Erie breach.
Experts Warn Insurance Companies to Brace for Sophisticated Social Engineering
Scattered Spider is known for using phishing and vishing attacks to exploit service desks and trick employees into handing over login credentials and multi-factor authentication codes.
Best emphasized that insurers should take steps to reinforce their internal help desk processes. Recommended measures include:
- Introducing manual password resets
- Enforcing the use of FIDO security keys
- Restricting VPN access to known IP ranges
- Running regular training on social engineering risks
He also noted that the group has previously used dynamic DNS domains and custom phishing kits, giving them the ability to tailor attacks for specific targets.
“Scattered Spider often aims for the weakest link in the IT chain, so it is imperative that every link be appropriately strengthened,”
Best warned.
High Stakes for a Fortune 500 Insurance Giant
Erie Insurance ranks as the 13th largest auto insurer and 12th largest homeowners insurer in the U.S., with an annual revenue of $13.2 billion. It operates across 12 states and D.C., and has consistently held a spot on the Fortune 500 for over two decades.
The company also runs a corporate venture arm—Erie Strategic Ventures—which could be an additional incentive for financially motivated attackers. Industry insiders say the scale and financial profile of companies like Erie make them attractive ransomware targets.
Scattered Spider’s Retail Rampage May Have Set the Stage
This latest suspected attack follows a long series of campaigns linked to Scattered Spider and its known collaborator, DragonForce. Earlier this year, the group was tied to:
- The Easter weekend breach of Marks & Spencer
- Attacks on Harrods, Victoria’s Secret, and VF Corp’s North Face brand
- Data breaches affecting major names like Louis Vuitton, Twitter/X, Instacart, Forbes, and Credit Karma
Silent Push has tracked multiple Scattered Spider phishing kits in the wild since 2023, signaling ongoing activity and adaptability in its attack methods.
“The insurance industry must prepare as Scattered Spider moves sector by sector,”
Hultquist warned.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
