A mid-sized retail firm insured by Allianz Commercial fell victim to a **Scattered Spider**-linked ransomware attack in early 2025, initiated via a **fake help desk call** that compromised employee credentials. Within 24 hours, attackers exfiltrated **customer payment data (credit cards, personal details)** and encrypted critical systems, halting e-commerce operations for **48 hours**. The breach exposed **120,000 customer records**, triggering **privacy litigation** under GDPR and a **€2.1M ransom demand** (partially paid to prevent data leaks). The incident disrupted supply chain integrations, causing **€3.8M in business interruption losses**—amplified by a concurrent cloud outage at a third-party payment processor. While Allianz’s tabletop exercises helped contain the attack, the retailer faced **reputational damage** from press coverage and a **15% drop in quarterly sales**. Regulatory fines for delayed breach notification added €900K to the total loss.
Source: https://www.helpnetsecurity.com/2025/10/01/insurance-claims-ransomware-h1-2025/
TPRM report: https://www.rankiteo.com/company/allianz-commercial
"id": "all4362043100125",
"linkid": "allianz-commercial",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Millions (due to supply '
'chain/retail breaches)',
'industry': ['Retail (Most Targeted in H1 2025)',
'Manufacturing',
'Professional Services'],
'location': 'Global (with focus on regions with low '
'cyber insurance penetration)',
'size': 'Small to Mid-Sized Firms',
'type': ['Small and Medium-Sized Enterprises (SMEs)',
'Retailers',
'Manufacturers',
'Professional Services Firms']}],
'attack_vector': ['Phishing/Social Engineering',
'Compromised Credentials',
'Fake Help Desk Calls (e.g., Scattered Spider)',
'Supply Chain Vulnerabilities',
'Cloud Security Incidents',
'Generative AI-Enhanced Scams'],
'customer_advisories': ['Monitor financial accounts for fraud (if data '
'breached).',
'Report suspicious communications (e.g., phishing, '
'fake support calls).'],
'data_breach': {'data_encryption': 'Secondary (still used in 60% of large '
'claims)',
'data_exfiltration': 'Primary tactic (more common than '
'encryption)',
'personally_identifiable_information': 'Frequently targeted '
'in retail breaches',
'sensitivity_of_data': 'High (PII, payment data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Records',
'Corporate Intellectual '
'Property']},
'date_publicly_disclosed': '2025-06-30',
'description': 'In 2025, cybercriminals are increasingly targeting small and '
'mid-sized firms due to hardened defenses at larger '
'enterprises. Ransomware remains the dominant threat, with 88% '
'of breaches at SMEs involving ransomware (vs. 39% at larger '
'firms). Attackers are shifting from encryption to data '
'exfiltration, which is more lucrative and less '
'resource-intensive. Social engineering, credential abuse, and '
'supply chain disruptions are key attack vectors. Retailers '
'are the most targeted industry, while regulatory pressures '
'(e.g., DORA, NIS2) and cyber insurance adoption are rising. '
'Early detection, basic controls (patching, MFA, backups), and '
'tabletop exercises significantly reduce claim costs.',
'impact': {'brand_reputation_impact': ['Loss of Customer Trust',
'Regulatory Scrutiny'],
'data_compromised': ['Personal Data (Retailers)',
'Customer Records',
'Payment Information',
'Sensitive Corporate Data'],
'financial_loss': {'average_breach_cost': '$5 million (2024 global '
'average)',
'claim_severity_reduction': '>50% decline in H1 '
'2025 (due to '
'preparedness)',
'large_claims': '60% of claims >€1M linked to '
'ransomware (H1 2025)',
'very_large_claims': '30% drop in H1 2025'},
'identity_theft_risk': 'High (due to PII exposure in retail '
'breaches)',
'legal_liabilities': ['Privacy Litigation (1,500+ US actions in '
'2024)',
'Regulatory Fines (DORA, NIS2)'],
'operational_impact': ['Business Interruption (50%+ of cyber claim '
'value)',
'Supply Chain Disruptions',
'Cloud Service Outages'],
'payment_information_risk': 'High (targeted in '
'ransomware/exfiltration)',
'systems_affected': ['Retailer IT Systems',
'Manufacturing Supply Chains',
'Professional Services Firms',
'Cloud Environments']},
'initial_access_broker': {'data_sold_on_dark_web': 'Common (stolen '
'credentials, PII, '
'corporate data)',
'entry_point': ['Compromised Credentials (Most '
'Common)',
'Phishing Emails',
'Fake Help Desk Calls (e.g., '
'Scattered Spider)',
'Exploited Vulnerabilities in '
'Supply Chain'],
'high_value_targets': ['Retailer Databases '
'(PII/Payment Data)',
'Manufacturing Supply Chain '
'Systems',
'Cloud-Stored Corporate '
'Data'],
'reconnaissance_period': 'Often <24 hours (rapid '
'movement to ransomware)'},
'investigation_status': 'Ongoing (trend analysis based on H1 2025 claims '
'data)',
'lessons_learned': ['SMEs are now primary targets due to weaker defenses '
'compared to large enterprises.',
'Data exfiltration is more profitable and easier than '
'encryption for attackers.',
'Basic controls (MFA, patching, backups) drastically '
'reduce financial impact.',
'Supply chain and cloud security are critical but often '
'overlooked.',
'Tabletop exercises and business continuity planning '
'improve resilience.',
'Regulatory compliance (DORA, NIS2) will raise the bar '
'for mid-sized firms.'],
'motivation': ['Financial Gain (Ransom Payments)',
'Data Theft for Resale (Dark Web)',
'Disruption of Business Operations',
'Exploitation of Supply Chain Weaknesses'],
'post_incident_analysis': {'corrective_actions': ['Mandate MFA and '
'least-privilege access.',
'Implement network '
'segmentation and '
'zero-trust principles.',
'Conduct regular phishing '
'simulations and security '
'training.',
'Audit third-party vendors '
'for cybersecurity risks.',
'Deploy EDR/XDR for early '
'threat detection.',
'Test backups and incident '
'response plans quarterly.'],
'root_causes': ['Lack of Basic Controls (MFA, '
'Patching) in SMEs',
'Over-Reliance on Perimeter '
'Security (No Segmentation)',
'Poor Employee Training on Social '
'Engineering',
'Supply Chain/Vendor Security Gaps',
'Delayed Detection and Response']},
'ransomware': {'data_encryption': 'Used in 60% of large claims (>€1M)',
'data_exfiltration': 'Dominant tactic (88% of SME breaches)'},
'recommendations': ['Implement MFA and network segmentation to limit lateral '
'movement.',
'Conduct regular patching and backup testing.',
'Train employees on social engineering (e.g., phishing, '
'fake help desk calls).',
'Assess third-party/supplier cybersecurity risks.',
'Adopt cyber insurance to mitigate financial and '
'operational risks.',
'Prepare for DORA/NIS2 compliance if operating in the EU.',
'Use tabletop exercises to test incident response plans.',
'Monitor dark web for stolen credentials/data.'],
'references': [{'date_accessed': '2025-06-27',
'source': 'Allianz Cyber Security Resilience 2025 Report',
'url': 'https://www.allianz.com/en/press/news/reports/250627-cyber-security-resilience-2025.html'},
{'date_accessed': '2025-06-30',
'source': 'Allianz Commercial - Global Cyber Insurance Market '
'Projections',
'url': 'https://commercial.allianz.com/en/insights/press-releases/cyber-insurance-market-to-double-by-2030.html'}],
'regulatory_compliance': {'legal_actions': '1,500+ privacy litigation cases '
'(US, 2024)',
'regulations_violated': ['Digital Operational '
'Resilience Act (DORA) - '
'EU',
'NIS2 Directive - EU',
'Sector-Specific Privacy '
'Laws (e.g., GDPR)'],
'regulatory_notifications': 'Mandatory under '
'DORA/NIS2 for critical '
'sectors'},
'response': {'communication_strategy': ['Transparent Disclosure (for insured '
'firms)',
'Regulatory Reporting (DORA/NIS2 '
'compliance)'],
'containment_measures': ['Network Segmentation',
'Isolation of Affected Systems',
'Revoking Compromised Credentials'],
'enhanced_monitoring': 'Early detection reduced losses by 1,000x',
'incident_response_plan_activated': 'Yes (for insured firms with '
'preparedness)',
'network_segmentation': 'Critical for limiting lateral movement',
'recovery_measures': ['Business Continuity Plans',
'Supplier Risk Assessments',
'Customer Notification (if data breached)'],
'remediation_measures': ['Patching Vulnerabilities',
'Enhanced Authentication (MFA)',
'Data Recovery from Backups'],
'third_party_assistance': ['Cyber Insurance Providers (e.g., '
'Allianz)',
'Forensic Investigators',
'Legal Counsel']},
'stakeholder_advisories': ['Mid-sized firms urged to adopt cyber insurance '
'and basic controls.',
'Retailers advised to secure customer data and '
'supply chains.',
'EU organizations must prepare for DORA/NIS2 '
'compliance deadlines.'],
'threat_actor': ['Scattered Spider',
'Opportunistic Cybercriminal Groups',
'Initial Access Brokers (IABs)',
'Ransomware-as-a-Service (RaaS) Affiliates'],
'title': 'Shift in Cyber Threats Targeting Small and Mid-Sized Firms in 2025',
'type': ['Ransomware',
'Data Theft/Exfiltration',
'Social Engineering',
'Credential Abuse',
'Supply Chain Disruption',
'Business Email Compromise (BEC)',
'IT Outages (Non-Malicious)'],
'vulnerability_exploited': ['Lack of Multi-Factor Authentication (MFA)',
'Unpatched Systems',
'Poor Network Segmentation',
'Insufficient Backup Protocols',
'Weak Supplier Security Controls']}