Blog
August 5, 2025
Insurance Companies: Protect Against Scattered Spider Attacks with Data Masking
Data Management,
Security & Compliance
Right now, the insurance industry faces an urgent cybersecurity threat: Scattered Spider. The financially motivated hacking group has rapidly shifted its focus after preying on retail companies in the U.K. and U.S. Now, it is targeting insurance companies.
The danger is clear. Insurance firms manage exactly what cybercriminals want: vast amounts of sensitive customer data.
Drawing on my experience as a CISO, I’ll break down the Scattered Spider threat and share practical guidance for insurance leaders.
Table of Contents
- Understanding the Scattered Spider Insurance Threat
- Why Insurance Companies Are Prime Targets for Scattered Spider
- Why Traditional Security Falls Short Against Scattered Spider
- A New Approach: Devalue the Treasure with Data Masking
- How Perforce Delphix Data Masking De-Risks Data
- Delphix’s Real-World Impact in the Insurance Sector
- Experience the Difference with Delphix Data Masking
Understanding the Scattered Spider Insurance Threat
Who They Are and What They Do
Scattered Spider is not your typical "hacker in a hoodie" from the movies — hackers rarely are. There is no need for an elite zero-day exploit attack to achieve their goals.
Instead, this group excels at social engineering. They often pose as a company’s tech support or even as an employee needing help. They call the help desk to persuade them to reset passwords or provide sensitive information, even your company’s muti-factor authentication tokens.
Before an attack, Scattered Spider actors scour social media sites and the web for personal information about employees. They piece together details like who reports to whom, personal interests, or login credentials bought from criminal marketplaces. Then they use it to better impersonate staff and craft believable phishing lures.
This “malicious web scraping” of publicly available data gives them the context to manipulate insiders effectively. It lets them bypass traditional perimeter security by exploiting human trust and procedural gaps.
Why They’re Dangerous
What makes Scattered Spider particularly dangerous is their systematic targeting approach. Unlike criminals who simply sell data on the dark web, Scattered Spider’s aim is to extort and defraud. After stealing this corporate data, they target customers and employees, using it for blackmail and financial fraud.
It has become all too common for enterprises to face data breaches and data theft. And non-production environments — like development, test, proof-of-concept, and analytics environments — are the most vulnerable. That’s because they have a significant sensitive data footprint combined with lesser controls and governance, making them a weak link from a cybersecurity stand-point. And for every production environment, there are often between 3 and 10 non-production copies containing an organization’s sensitive data. In fact, according to our upcoming State of Data Compliance and Security Report, 60% of organizations have experienced data breach or theft of sensitive data from non-production environments.
To protect against Scattered Spider and other criminals, you need to protect non-production environments and limit the sensitive information they contain.
Back to topWant to be the first to see the 2025 State of Data Compliance & Security Report? Sign up for early access here >>
Why Insurance Companies Are Prime Targets for Scattered Spider
The insurance sector is at such a high risk of being targeted by groups like Scattered Spider for several key reasons:
Rich Data Repositories
Insurers hold decades of PII and personal health information from millions of consumers. This includes Social Security numbers, driver’s license details, medical records, financial account info, and more. They’re a goldmine of data for hackers to exploit.
Acquisition-Driven Growth
The insurance business often grows by mergers and acquisitions. Each acquisition brings its own IT systems, networks, and security controls. The result can be a fragmented environment with scattered security controls and inconsistent policies.
Attackers will seek out the weakest link among many systems. One legacy subsidiary with outdated access controls can become the gateway into the larger enterprise.
Manual Work Processes
Many insurers still rely on older core systems and manual workflows. For example, during claims processing or underwriting, employees might export data to Excel or email, or use workaround scripts to transfer data between siloed systems. These manual data transfers create vulnerabilities that attackers can exploit.
Massive Employee Bases
Large organizations make it difficult to predict security behavior consistently across such large institutions. Insurance giants employ tens of thousands of people across many geographies. Maintaining uniform security awareness and behavior at that scale is extremely difficult. All it takes is one employee out of thousands to fall for a phone scam or use a weak password.
Back to topWhy Traditional Security Falls Short Against Scattered Spider
Given the risk, one might ask: aren’t insurers investing heavily in cybersecurity? Yes, they have strong perimeter defenses and SOC monitoring that can be world-class. The trouble is traditional perimeter-focused security is not enough against groups like Scattered Spider.
Conventional cybersecurity — with firewalls, VPNs, and intrusion detection — is like building strong castle walls. But Scattered Spider simply knocks on the front gate wearing a disguise and walks right in. By exploiting human nature and operational weak points, they bypass the walls entirely.
To Illustrate: a Castle with a Forgotten Side Door
I learned this lesson vividly in a previous role. We discovered that a supposedly low-priority test environment had been quietly exfiltrating data for weeks. No one noticed at first because that environment wasn’t locked down or monitored like production. It was an “aha” moment: our castle had an overlooked side door.
The experience reinforced my belief that no matter how good your walls and guards are, you cannot assume complete visibility or control over every system. Attackers will find the one test server you forgot about.
From that incident on, I adopted a philosophy: “Mask everything outside production.” In other words, operate on the assumption that if a system isn’t your main live environment serving customers, it will get breached or misused eventually. Therefore, it should hold no real sensitive data to begin with.
Back to topA New Approach: Devalue the Treasure with Data Masking
For all the reasons listed above (legacy complexity, manual processes, large workforce), implementing flawless preventative controls in an insurer’s environment is extremely challenging. Smart insurance companies are adopting another strategy to protect themselves from groups like Scattered Spider: rendering their data worthless to any bad actors who may get ahold of it.
I often call this the “devalue the treasure” approach, or the “empty purse” approach. The idea is simple: even if a thief reaches into your secure vault, they find it empty or full of play money.
In data terms, this means populating all those non-production and secondary systems (dev, test, staging, analytics, vendor platforms, etc.) with realistic-looking but fake data. The technique that enables this is static data masking. Static data masking takes sensitive data (like a customer’s name, address, or Social Security number) and transforms it into fictional but credible values. The masked data retains its format and usefulness for testing or analysis, but it is no longer tied to real individuals.
An insurer can apply static data masking so that outside the core production databases, no system ever holds real customer PII.
A Note on Data Masking Types
Not all data masking methods are equal. For strong security, the masking must be irreversible, meaning no one can recover the original data. Typically, this is done with algorithms that substitute data consistently (so an individual’s records can still be correlated) but break any real-world identity link.
One best practice is using static data masking, which means you mask the data at rest in the database copy before it’s used. Static masking ensures that if a non-production copy is leaked, it’s already sanitized. (Dynamic masking, which hides data only when queried, can be bypassed, or it might leave data exposed in memory or logs.)
Back to topHow Perforce Delphix Data Masking De-Risks Data
Perforce Delphix offers comprehensive data masking to implement this "devalue the treasure" strategy.
| Delphix Capability | Benefit |
| Automated Sensitive Data Discovery | Automatically locate sensitive data like PII, PHI, and custom data across structured and semi-structured sources. |
| Policy-Driven Data Masking | Easily define masking policies and consistently mask sensitive data across all environments. |
| High-Fidelity Data | Keep data relationships while removing sensitive details. Data looks real but is useless to attackers. |
| Fast Data Provisioning | Deliver copies in minutes rather than days compared to traditional approaches. |
| Complete Tracking | Built-in audit trails and compliance reporting. Records what data was masked, when, and by whom. |
See how it works:
Delphix’s Real-World Impact in the Insurance Sector
Organizations worldwide trust Delphix for comprehensive data masking and compliance. Here's how leading insurance companies protect sensitive data while accelerating innovation.
Tokio Marine
Tokio Marine needed a data masking solution that would also optimize their environments. Delphix let them successfully mask sensitive data across all environments, plus reduce non-production storage by 85%.
Watch the Tokio Marine testimonial
Delta Dental
Delta Dental used to spend 8 weeks just extracting data. Protecting sensitive data for compliance was difficult. With Delphix, they can mask data and easily deliver it to a team of 200 developers in minutes.
Read the Delta Dental case study
Back to topExperience the Difference with Delphix Data Masking
The Scattered Spider threat is not disappearing, only getting worse. Healthcare, retail, and other industries with customer data face similar threats. But insurance companies have special risks. Their combination of acquisition-driven growth and regulatory requirements makes the need for data masking urgent.
Insurance companies cannot afford to rely solely on traditional perimeter defenses. Implementing comprehensive data masking strategies can help companies maintain business agility. Even if attacks from the Scattered Spider group break through, they will find nothing valuable to steal.
A growing number of insurers (and companies in other industries) have embraced this strategy. After a series of near-misses, one CISO I know mandated that all customer data used for analytics be statically masked. Another large insurer has a policy that any data leaving core systems for any reason (development, outsourcing, analytics) must be masked beforehand.
These organizations have decided that the only realistic way to manage customer data in an era of constant, targeted social engineering attacks is to stop allowing it to exist anywhere that is not strictly necessary. It is simply too dangerous.
Get a Custom Demo: Perforce Delphix Data Masking
Ready to protect your organization against cyberattacks? Get a no-pressure demo from our product experts to see how Delphix data masking solutions secure your sensitive customer data while keeping operations running smoothly.