The Breach in Numbers: What Scattered Spider Actually Took
On June 2025, a threat actor linked to Scattered Spider — a loosely organized coalition of young, native English-speaking cybercriminals operating from the US, UK, and Canada — breached Aflac’s environment and exfiltrated data before being ejected. According to Aflac’s disclosure filing with the Iowa Attorney General, the intrusion was stopped within hours with no operational disruption and no ransomware deployed. That relatively contained operational impact made the headline number more surprising: 22.65 million individuals affected, including more than 2 million Texas residents alone.
The stolen dataset is unusually rich even by breach standards. Compromised records included names, dates of birth, home addresses, government-issued identification numbers, driving license details, Social Security numbers, and medical and health insurance records — including actual claims data. Not every individual had all categories exposed, but the combination of SSN plus health claims plus contact detail creates a high-value package for identity fraud, medical fraud, and targeted phishing.
Aflac serves approximately 50 million customers, meaning the breach touched roughly 45 percent of its total customer base. The company offered 24 months of identity theft protection — including credit monitoring, identity theft protection, and medical fraud protection — with an enrollment deadline of April 18, 2026. Federal law enforcement was notified and external cybersecurity experts were engaged. Despite those responses, the six-month gap between the June 2025 breach and the December 26, 2025 public confirmation is itself a reputational problem that state insurance regulators are increasingly scrutinizing.
How Scattered Spider Works the Help Desk
Scattered Spider — also tracked as UNC3944, 0ktapus, and Muddled Libra — has refined a repeatable playbook that cybersecurity researchers at Blackfog describe as “phone-based help desk social engineering.” The mechanics are straightforward and devastatingly effective.
Operatives open by impersonating an employee with an urgent issue — a locked account, a failed MFA push, or a forgotten device. They arrive at the call armed with personal data harvested from prior breaches: the target employee’s full name, job title, manager’s name, employee ID, and sometimes the answers to common security challenge questions. That data is used not to log in directly but to sound authentic enough to pressure a help-desk analyst into bypassing verification protocols and resetting MFA or VPN credentials. The result is a set of valid credentials the attacker controls — what Blackfog’s researchers call “a skeleton key to the network.”
Where credential harvesting alone is insufficient, the group employs MFA fatigue: sending repeated authentication push notifications to a legitimate employee until fatigue, confusion, or social engineering from a concurrent call causes the employee to approve a request they should have rejected.
The technique is sector-agnostic but insurance is particularly attractive. Help-desk volumes at insurers are high, analyst pools are large and often offshore or outsourced, and the systems being accessed — claims platforms, policy administration, medical underwriting — hold the most sensitive data imaginable. The simultaneous June 2025 hits on Erie Insurance and Philadelphia Insurance Companies alongside Aflac, plus the parallel breach of Scania Financial Services, indicate deliberate sector targeting rather than opportunistic selection. In the broader 2025 campaign, Scattered Spider also breached Allianz Life and pivoted to aviation later in June, hitting WestJet, Hawaiian Airlines, and Qantas — where data on approximately 6 million passengers was accessed.
Financially, Scattered Spider has extorted at least $115 million from dozens of victims over three years. A leak site operated by the group was dismantled by law enforcement in 2025, and two members were arrested in the UK, but the coalition structure means disruption of those nodes did not halt operations.
Advertisement
What CISOs Should Do: Hardening the Help Desk Against Vishing
The Aflac breach is a procedural failure, not a technical one. No zero-day was exploited. No advanced persistent threat tunneled through the network perimeter for months. A person on a phone call convinced another person to hand over credentials. That means the countermeasures are also procedural — but they must be operationalized with the same rigor as a firewall rule, not left as a training slide.
1. Replace Shared-Secret Verification with Hardware-Bound Proof
Knowledge-based authentication — “what’s your employee ID? what was your first pet’s name?” — is defeated the moment that data exists in any breach dataset, and Scattered Spider specifically pre-loads this information before calling. The replacement is hardware-bound identity: a FIDO2 physical security key, a company-issued badge tap on a physical reader, or an in-person identity re-validation. For remote employees, a live video call with the requestor’s manager as a co-verifier adds a second human check that is orders of magnitude harder to fake than a phone voice. Several enterprise identity vendors now offer real-time identity verification tied to government-issued ID via mobile camera — this category is worth evaluating for high-risk reset scenarios. Any help-desk procedure that allows credential reset or MFA bypass over a voice call alone, without a hardware or visual proof step, should be treated as an open vulnerability.
2. Classify Reset Requests by Data Risk, Not by Workflow Speed
Not all help-desk requests carry equal risk. A password reset for a low-privilege productivity account is categorically different from an MFA reset for an account with access to claims management systems, policy administration, or personally identifiable health data. CISOs should work with help-desk operations to build a tiered reset classification: Tier 1 resets (low-privilege, no PII access) can proceed with standard verification; Tier 2 resets (finance, HR, or mid-level data access) require manager co-authorization via a separate authenticated channel; Tier 3 resets (any account with access to bulk PII, health records, or payment data) require a mandatory 24-hour cooling-off period and a notification to the account holder via out-of-band contact. The 24-hour delay is not bureaucratic friction — it is the detection window that lets the real account holder flag the reset before the attacker uses the credentials. Tier 3 should also trigger an alert to the security operations center so any subsequent login activity is monitored in real time.
3. Script MFA Fatigue as a Security Incident, Not an Authentication Anomaly
When an employee receives more than two unexpected MFA push notifications in a session and does not initiate a corresponding login attempt, that is a security incident — not an authentication anomaly to log and ignore. CISOs should configure identity platforms (Okta, Microsoft Entra, Duo) to auto-lock accounts and generate a priority-one SOC alert after three consecutive unsolicited MFA pushes within a 30-minute window. Simultaneously, the affected employee should receive an out-of-band notification (SMS, personal email, or a manager call) explaining that someone may be attempting to access their account and instructing them explicitly not to approve any pending MFA requests. The combination of auto-lock plus employee notification closes the fatigue window before an analyst can be worn down or socially engineered on a concurrent call.
4. Build a Help-Desk Red Team Exercise Specifically for Vishing
Annual security awareness training with a phishing simulation module does not prepare analysts for a live voice call from a confident, well-prepared attacker who knows the employee’s manager’s name. The only preparation that works is practice under realistic conditions. Security teams should run quarterly vishing drills targeting the help desk: a trained internal red-teamer, using real employee data available through LinkedIn and prior breach datasets, attempts to talk an analyst through a Tier 3 credential reset. Pass or fail, each drill produces a named analyst who needs coaching, a named procedure that was exploited, and a recorded call that becomes training material. The Aflac, MGM (2023), and Marks and Spencer (2025) breaches all followed the same script — there is no shortage of case-study material to build the drills around.
The Structural Lesson: Insurance Is the New Critical Infrastructure Target
The concentrated June 2025 campaign against Aflac, Erie Insurance, Philadelphia Insurance, and Scania Financial — followed weeks later by aviation targets — reveals a pattern that has strategic implications beyond any individual CISO remediation list. Scattered Spider is not a financially opportunistic group that stumbles onto targets; it is a sector-rotation attacker that identifies industries with high-value personal data stores, large and distributed help-desk operations, and historically lower security investment relative to financial services or technology.
Insurance checks all three boxes. The sector holds SSNs, health records, and financial data at scale. Help desks are often high-volume, outsourced, and measured on resolution speed — a culture that is structurally hostile to the friction that good identity verification requires. And while financial services firms have spent two decades hardening under PCI DSS, DORA, and FFIEC guidance, insurance cybersecurity regulation varies significantly by jurisdiction and has historically been lighter-touch.
The regulatory posture is shifting. US state insurance regulators, led by the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500), now require covered entities to include specific multi-factor authentication controls, incident reporting within 72 hours of discovery, and annual penetration testing. Insurers operating across multiple US states are navigating a patchwork of similar requirements. The six-month disclosure gap in the Aflac case is precisely the kind of timeline that regulators will scrutinize in post-incident reviews.
For CISOs outside the insurance sector, the lesson translates directly. Any organization where a help-desk call can result in credential access to systems holding bulk PII — healthcare, payroll providers, HR platforms, financial services — is operating the same attack surface that Scattered Spider exploited at Aflac. The playbook is public. The countermeasures are known. The remaining question is whether the remediation gets prioritized before or after the breach notification letter goes out.
Frequently Asked Questions
What data did Scattered Spider steal from Aflac?
The attackers exfiltrated names, dates of birth, home addresses, government-issued identification numbers, driving license details, Social Security numbers, and medical and health insurance records including claims data, affecting 22.65 million customers, employees, agents, and beneficiaries.
How does Scattered Spider bypass multi-factor authentication?
Scattered Spider uses two primary techniques: vishing (voice phishing) calls to help-desk staff, where operatives impersonate employees and use pre-harvested personal data to pressure analysts into resetting MFA credentials; and MFA fatigue, where repeated push notification requests are sent until a legitimate user approves one out of confusion or fatigue.
Which other insurance companies did Scattered Spider target in 2025?
The June 2025 campaign attributed to Scattered Spider also hit Philadelphia Insurance Companies, Erie Insurance, Scania Financial Services, and Allianz Life. The same group later targeted aviation companies including WestJet, Hawaiian Airlines, and Qantas.
Sources & Further Reading
🔗 Related Intelligence
Scattered Spider 2026: The Retail Wave, the Aviation Detour, and the Healthcare Pivot Defenders Should Prepare For
The £300 Million Breach: M&S and Co-op’s Cyber Collapse Rewrites the Cost of Unpreparedness
Dragos 2026 OT Report: Adversaries Now Map Control Loops to Cause Physical Damage
The Axios RAT: How a Compromised npm Account Backdoored 100 Million Downloads
