Skip to main content
Marsh logo

Resource centre

UK Cyber incidents linked to Scattered Spider

Multiple organisations have recently been hit by separate cyber incidents in highly targeted, sophisticated campaigns. It is believed that the threat group known as Scattered Spider is behind this.

What should you do if you suspect a compromise?

  • Activate your incident response and/or crisis management plans, and stand up your incident response team.
  • Shift to out of band communication platforms, such as CYGNVS.
    Call the CYGNVS hotline to create your secure incident room and invite relevant internal and external stakeholders to join.
  • Notify Marsh Cyber Incident Management team via our dedicated 24/7 CYGNVS hotline.
    Notify cyber insurers promptly.
  • Seek expert support and do not engage with the threat actor.

If you think your business has been affected, we urge you to reach out to your Marsh contact or one of our cyber specialists as soon as possible.

Dedicated CYGNVS 24/7 hotline

Call us Email us

Steps to protect your organisation now

Placeholder Image

Review your logs and investigate any recent false positives. Strengthen your environment against the published Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with Scattered Spider.

Placeholder Image

Alert your IT service desk to investigate suspicious passwords and/or MFA resets over the last few months.

Placeholder Image

Review your MFA policy and remove the ability for individuals to authenticate with a phone number.

Placeholder Image

Refresh employee training on phishing, social engineering and deepfake threats. Emphasise the importance of verifying requests for sensitive information.

Placeholder Image

Establish verification protocols for requests for information and resetting credentials, requiring secondary confirmation via a different communication channel.

Placeholder Image

Train helpdesk staff to recognise signs of social engineering attempts and implement strict verification processes for sensitive requests.

selected option

View the slides from our recent webinar, UK Retailers: Protecting Against Cyber Threats

View the slides

Here are the ways we can help if you have been or suspect you have been impacted.

Event management

  • Engaging technical assistance for your organisation, to help investigate any suspected compromise and to work on containment.
  • Supporting crisis management and communications, and bringing in any other expert assistance required.

Insurance coverage/recovery

  • Submitting a notice of circumstance or claim against your cyber insurance and supporting your organisation in obtaining the maximum reimbursement under your policy.

Employee awareness training

  • We can provide in-depth training courses for your employees on how to identify the social engineering tactics used by threat actors.

We will continue to monitor the situation and will keep you apprised of further developments.

Further guidance

Contacts

Helen Nuttall

Helen Nuttall

Managing Director, UK Cyber Incident Management Leader, Marsh Specialty

  • United Kingdom

Holly Waszak

Holly Waszak

Head of Cyber Claims, UK Cyber, Media & Technology Practice, Specialty UK

  • United Kingdom

Placeholder Image

Kelly Butler

Head of Cyber - UK, Marsh Speciality

  • United Kingdom

Serena France-Hayhurst

Serena France-Hayhurst

UK Cyber Placement Leader, Cyber Risk

  • United Kingdom

Kelvyn Sampson

Kelvyn Sampson

Marsh UK Industries - UK Retail, Leisure and Hospitality Industries Leader

  • United Kingdom