Recent summer attacks show that no insurer is immune. In mid‑July, Allianz Life Insurance Company of North America announced that a breach through a third‑party vendor exposed sensitive data in its systems. The breach has triggered a class‑action lawsuit against the insurer. Also in July, Aflac confirmed a cybersecurity event, and Erie Insurance customers could not access online portals for almost a month due to system disruptions.

Several Blue Cross Blue Shield (BCBS) plans reported breaches exposing member PHI, including names, Social Security numbers, and claims data. For example, BCBS of Illinois reported 6,903 members impacted (with SSNs exposed) and BCBS Montana reported about 462,000 individuals affected (names, SSNs, claims data). These attacks are part of an ongoing trend targeting insurance companies for the high‑value, sensitive policyholder data they hold.

Cyberattacks on insurance companies show just how threat actors use third-party vendors and poor credential hygiene to gain access to high-value information like policyholder data. One recent study found 28% of insurance companies had experienced a breach, and 59% of those involved third‑party attack vectors. Breaches are not only common but costly: the global average cost for a data breach reached $4.88 million USD in 2024, and financial‑industry firms reported average losses of about $6.08 million USD.

Who is behind recent cyberattacks on insurance companies?

Ransomware groups like LockBit and Black Basta, sophisticated actors like Scattered Spider, nation-state actors, insiders, and opportunistic criminals exploit weak credentials and unpatched systems. Attackers are getting smarter, and in the case of Scattered Spider, they exploit both technical missteps and social engineering. Attribution is often difficult, however, as many groups use overlapping tools, purchase access from initial access brokers, and deliberately obscure their identities.

When an insurance company cyberattack occurs, the ripple effects include operational disruption, exposed Personally Identifiable Information (PII), and rapidly escalating regulatory scrutiny.

• Operational disruption and financial losses: Including ransom, remediation, and fines.
• Data exposure and regulatory consequences: Exposed policyholder data triggers identity theft and regulatory penalties.
• Reputational and insurance coverage impacts: Breaches harm reputation and complicate coverage.

Every insurance company data breach reveals the same pattern: phishing or credential reuse, followed by lateral movement and eventual data exfiltration.

• Phishing and social engineering: Attackers craft emails that appear legitimate, often from vendors or internal teams, tricking employees into clicking malicious links or sharing credentials.
• Credential compromise: Stolen or reused passwords give attackers undetected access to internal systems.
• Unpatched vulnerabilities: Legacy systems or exposed internet-facing applications often harbor known vulnerabilities that attackers exploit.

Once inside, attackers generally aim to:

• Steal sensitive data for resale or ransom
• Deploy ransomware to encrypt systems and demand payment
• Conduct Business Email Compromise (BEC) to extract fraudulent payments

These recurring entry points explain why insurers must make both technical and human-layer defenses a priority.

Business Email Compromise (BEC)

Attackers infiltrate executive or finance accounts and quietly observe company operations for weeks or months. Using this insight, they craft highly convincing emails requesting wire transfers or payments to fraudulent accounts. Losses can soar into the millions, as fraudulent requests blend seamlessly with legitimate communications without proper verification.

Credential theft and policy data access

Stolen credentials give attackers access to sensitive policyholder data, including PII, financial records, and medical information. Because the logins appear legitimate, attackers can operate undetected, stealing sensitive data and enabling identity theft, financial fraud, and other malicious activity.

Ransomware with data extortion

Modern ransomware attacks combine encryption with data theft, creating a “double extortion” scenario: pay to restore systems and pay to prevent stolen data from being exposed. Sophisticated groups like Scattered Spider leverage social engineering and technical skill to breach even well-defended networks.

Recent breaches reveal recurring failures in security controls:

• Incomplete MFA: Many insurers implement multi-factor authentication (MFA) only partially.
• Weak Privileged Access Management (PAM): Too many elevated accounts and no monitoring.
• Unpatched critical vulnerabilities: These persist, especially in legacy systems.
• Poor network segmentation: Allows attackers to move laterally once inside.
• Limited visibility and telemetry: Attackers can operate undetected for months.
• Untested incident response plans: Many organizations lack sufficient backups and escalation procedures.

These gaps are why cyber insurance requirements continue to evolve, with carriers demanding stronger controls.

Insurance companies can close the gaps by focusing on four areas:

Identity and access management

• Implement MFA across all systems storing sensitive data
• Enforce strong, unique passwords and regular access reviews
• Monitor privileged accounts with approval workflows

Endpoint detection

Huntress Managed Endpoint Detection and Response (EDR) monitors unusual file access, network connections, and authentication attempts.

Centralized logging

Central logs increase visibility, help detect breaches, and provide tamper-proof audit trails for post-incident analysis.

Employee training

Continuous, role-based, practical training ensures employees understand and act on threats rather than becoming weak links. Huntress Managed Security Awareness Training (MSAT) provides interactive, scenario-based modules to reinforce this learning across all roles.

The Huntress Managed EDR platform helps insurance companies increase visibility into their network, detect threats quickly using behavioral analysis, and take action with guidance on containment and remediation. Huntress actively monitors threat actors such as Scattered Spider, making sure insurance companies are meeting operational and cyber insurance requirements.

Schedule a demo to see how Huntress Managed EDR gives your team the visibility, context, and confidence to stop attackers before they impact operations or your policyholders.