In today’s digitally driven economy, cyber-criminals are constantly on the hunt for high-value targets, and insurers are in the firing line. Over 50 insurers globally have been hit by ransomware in 2025 already, with groups such as Akira, SilentRansom, Qilin and Scattered Spider turning insurance companies into prime targets.

Scattered Spider, who gained widespread media exposure for their attacks on UK retailers earlier this year, has been linked to ransomware incidents affecting US-based Philadelphia Insurance and Erie Insurance, which operates in both the UK and the US.

Earlier this summer, Allianz Life confirmed that unidentified hackers stole the personally identifiable information belonging to the “majority” of its 1.4 million customers, as well as some Allianz Life employees and financial professionals

What makes insurers attractive to cyber-criminals?

Unlike many other industries, insurers hold a vast and diverse array of personally identifiable information (PII). This includes basic data such as names, addresses, contact details, dates of birth and national insurance numbers.

In the case of life or health policies, insurers often gather highly sensitive information such as medical histories, financial records, banking information and even lifestyle data. In short, they hold a comprehensive digital profile of individuals - an absolute goldmine for hackers which is highly valuable on the dark web.

What sets insurers apart is not just the quality of data they hold, but also the volume and duration of data retention. Insurers typically keep detailed records for many years to support long-term claims and regulatory compliance, meaning a single breach can have a huge effect.

Beyond personal data, commercial insurers also hold sensitive information about corporate clients. This can include claims data, contract terms, risk assessments and even details about clients’ cyber insurance coverage. For cyber-criminals, such intelligence can be a launchpad for targeted extortion or ransomware attacks, exploiting known vulnerabilities or coverage limits to maximise damage and potential ransom payouts.

There is also the continued reliance on legacy IT systems by insurers, many of which were built long before cybersecurity was a central concern. These older systems are often connected to newer digital platforms, inadvertently creating security gaps that can be exploited by hackers.

Moreover, insurers operate within complex ecosystems of brokers, agents, and third-party vendors, increasing the risk of supply chain vulnerabilities. A weak link anywhere in this chain, such as a vendor with poor cybersecurity hygiene, can provide an entry point for attackers.

Common attack methods targeting insurers

In the case of the recent attacks on Allianz Life, Erie Insurance and Philadelphia Insurance, the abuse of helpdesk and call centre processes via sophisticated social engineering resulted in the breaches: this unfortunately is now commonplace.

For example, an attacker will call up a helpdesk impersonating an employee and ask them to send a multi-factor authentication (MFA) link for their new mobile device. From this they can then reset passwords and gain access to accounts.

A statement from Allianz Life confirmed that attackers gained access to a third-party cloud-based CRM system used by Allianz Life via social engineering tactics, also signalling the increasing risk of third-party vulnerabilities.

Phishing also remains a common initial attack method, with sophisticated emails tricking employees into revealing credentials or downloading malware.

Another frequent method is supply chain compromise. Attackers may infiltrate insurers by first compromising smaller, less secure vendors with access to critical systems or data. In these cases, the insurer may become the unintended victim of a breach originating outside their immediate IT perimeter.

The importance of layered security

To combat these threats, a layered security approach is essential. No single solution can provide full protection. Instead, organisations must implement multiple overlapping defences to detect, isolate and mitigate threats.

Commonly, this might start with the perimeter, using Intrusion Detection Systems to monitor for suspicious events, and firewalls to filter traffic and prevent opportunistic attacks and automated threats. Once inside, critical layers are likely to be endpoint devices such as end user laptops, continuously monitoring them for threats.

Identity and Access Management should also be high among an organisation’s considerations, using MFA or SSO while ensuring permissions and privileges are based on the users’ job functions and responsibilities and applying appropriate role based access controls.

Building a human firewall through education

Even with the best technology in place, human error remains a leading cause of cyber breaches, as we have seen with the recent attacks on the sector. That’s why organisations must foster a culture of security, with employee training being a vital component of any cybersecurity strategy.

Staff need to be aware of phishing and social engineering techniques, the importance of strong password hygiene and the risks of downloading unauthorised software or clicking unknown links.

As cyber threats continue to evolve in complexity and scale, insurance companies must recognise their heightened risk profile and act decisively to protect their data and systems. By doing so insurers are not only protecting their own assets, but they are also safeguarding the sensitive personal and financial data of millions. In today’s digital world, that responsibility has never been more critical.

Danny Howett Technical Director CyXcel