First M&S – now insurers are hackers' target

High profile group now targeting insurance industry says Google team

First M&S – now insurers are hackers' target

Cyber

By Matthew Sellers

British insurers are bracing for an escalating wave of cyberattacks after one of the world’s most notorious hacking groups, Scattered Spider, has pivoted from raiding retailers to targeting insurance and financial services companies on both sides of the Atlantic.

Google’s Threat Intelligence Group has issued a fresh warning, saying it had identified multiple intrusions in the United States that bear the hallmark of the group’s highly tailored, sector-specific tactics. Analysts believe the threat actor is behind recent outages at Philadelphia Insurance Companies and Erie Insurance - two firms now grappling with widespread disruption and regulatory scrutiny.

“We are now seeing incidents in the insurance industry,” said John Hultquist, Google’s chief cyber analyst. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert - especially for social engineering schemes that target their help desks and call centres.”

Scattered Spider, also tracked as UNC3944, has previously infiltrated major casino operators and, more recently, retail giants across the UK and US. Its tactics often involve impersonating employees to manipulate IT support teams, allowing attackers to bypass multi-factor authentication and gain privileged access.

UK firms caught in the crosshairs

The warning arrives as the fallout continues from the major cyberattack on Marks & Spencer, widely believed to have been orchestrated by the same group. The incident, which disrupted online sales for weeks, has prompted the retailer to lodge what is expected to be a record-breaking cyber insurance claim exceeding £100 million.

Allianz, M&S’s primary cyber underwriter, is understood to be facing an initial payout of £10 million, with Beazley and other insurers also exposed under layered cover arrangements. The claim is likely to encompass lost e-commerce revenue, data breach liabilities, and forensic recovery costs. Industry sources say broker WTW arranged the coverage, which includes both first-party and third-party losses.

M&S confirmed last month that personal customer data - such as contact details and order histories - had been compromised. Although no financial or password information was reportedly stolen, the reputational damage has been significant. Shares in the FTSE 100-listed retailer have fallen by 16 per cent since the breach was disclosed.

Investigators believe the attackers may have gained access through remote work vulnerabilities, forcing M&S to disable VPN access and send home some distribution staff in the early days of the crisis. The company is now working with the National Cyber Security Centre and external cybersecurity providers, including Microsoft and CrowdStrike.

Rising stakes for the insurance sector

The insurance industry, long a backstop for corporate risk, now finds itself squarely in the firing line. Experts warn that firms with large call centre operations and decentralised IT systems are especially vulnerable to the kind of deception-based attacks for which Scattered Spider is known.

Erie Insurance, which operates across 12 US states and holds more than seven million policies, is one of the latest confirmed victims. The company has taken systems offline and is working with law enforcement following a network intrusion on 7 June. It is now facing a proposed class action alleging that insufficient cyber defences exposed customer data to the dark web.

Philadelphia Insurance, part of the Tokio Marine group, was forced to shut down large portions of its operations after a suspected ransomware attack on 9 June. Staff are only gradually being brought back online, often using hard-wired connections and new password protocols.

Both incidents are being closely watched by reinsurers and Lloyd’s syndicates, with some underwriters warning that large-scale aggregation risk in cyber portfolios could be underappreciated.

Premiums to climb amid systemic concerns

The M&S claim is expected to send ripples through the cyber insurance market. The retailer is said to pay less than £5 million in annual premiums, a figure that may double upon renewal given the scale of the event. Analysts say the case could serve as a litmus test for how robustly insurers are prepared to respond to complex, multi-vector attacks.

Across the UK, concerns are mounting about the resilience of businesses to withstand similar events. Government data released earlier this year showed that just 8% of UK companies have standalone cyber insurance, and only a fraction have detailed incident response plans. Even among large organisations, underinsurance remains prevalent.

With other major retailers including Harrods and the Co-op recently affected, and the Government’s Cyber Security Breaches Survey warning that cyber incidents have cost UK businesses £44 billion over five years, experts believe cyber coverage is poised to become both more costly and more essential.

For insurers, the Scattered Spider campaign is a wake-up call. For the wider UK business community, it is a stark reminder that digital resilience is no longer optional.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!

IB+ Data Hub

The Ultimate Data Intelligence Platform for Insurance Professionals

Unlock powerful dashboards and industry insights with IB+ Data Hub—your essential subscription for data-driven decision-making.