Aflac is the latest insurance company to disclose a security breach following a string of others earlier this week, all of which appear to be part of Scattered Spider’s most recent data theft campaign.
The American insurance giant on Friday said it intends to notify regulators that it spotted the “unauthorized access to its network” on June 12, and “believes that it contained the intrusion within hours.”
Notably, the intruder didn’t infect any Aflac systems with ransomware, according to the SEC filing and a notice posted on its website, and business operations were not affected.
However, the digital crooks may have accessed files that contain claims information, health data, Social Security numbers, and other personal details for an undetermined number of customers, beneficiaries, employees, agents, and other US individuals.
And while Aflac didn’t name the intruder, the incident alert on its website seems to indicate that Scattered Spider is behind the breach:
In another “tell me it’s Scattered Spider without saying it’s Scattered Spider” note, Aflac said that its investigation, still in early stages, “indicate[s] that the unauthorized party used social engineering tactics to gain access to our network.”
If it walks like a duck and quacks like a duck …
Aflac has hired “leading third-party cybersecurity experts” to assist with its incident response.
Aflac’s disclosure follows similar ones from Erie Insurance, Philadelphia Insurance Companies, and Tokio Marine North America (which owns Philadelphia Insurance as well as Tokio Marine America Insurance Company and First Insurance Company of Hawaii).
Erie Insurance’s networks have been down since June 8. In its most recent incident update from June 17, the 12th largest home and auto insurer in the US said it has wrestled back control of its systems: “We have seen no evidence of ransomware and there is no indication of ongoing threat actor activity.”
Tokio Marine, a day later, said it restored some network access. “However, we are still in the early stages of restoring full operations, and completing this process will take time.”
All of these insurance company attacks come as Google threat intel analysts this week urged insurance companies to be on “high alert” following “multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.”
Scattered Spider is a loosely knit crew believed to be primarily young American and British men. Its attacks typically begin with fake help desk calls, and it has a history of focusing on one sector at a time.
Prior to insurance, the group hit several major retailers in the UK and US, including Marks & Spencer, Co-op, and Harrods. And in 2023, the casino and resort heists put a big target on Scattered Spider’s collective backs and led to at least seven arrests last year.
The silver lining, at least for insurers, is that this crime gang has “shiny object syndrome,” according to Charles Carmakal, chief technology officer of Google’s Mandiant Consulting, who told The Register in an earlier interview following the retail attacks: “My guess is this adversary will pivot to the next sector in a few weeks, once they feel like they’ve gotten all they needed out of retail.”
He was correct, and now Aflac and other insurance companies are caught in the web. ®
