Full Report
Erie Insurance reveals suspected network breach and ongoing outage
Analysis Summary
# Incident Report: Erie Insurance Information Security Event and Network Outage
## Executive Summary
Erie Insurance, a major US insurer, experienced an "information security event" discovered on June 7, 2025, resulting in an ongoing network outage. The initial trigger appears to be unusual network activity likely preceding the discovery, leading the company to proactively take protective measures. Concerns about secondary attacks, specifically phishing against customers, were immediately raised by the insurer.
## Incident Details
- Discovery Date: Saturday, June 7, 2025
- Incident Date: Started before June 7, 2025 (discovery date)
- Affected Organization: Erie Insurance (Erie Indemnity Company)
- Sector: Insurance (Home and Auto)
- Geography: USA (Implied, as a Fortune 500 US insurer)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-June 7, 2025 (Discovered Saturday, June 7)
- **Vector:** Not explicitly stated, but the discovery involved identifying "unusual network activity." Given the context of recent threats to similar organizations, phishing is a common precursor, although not confirmed here.
- **Details:** Information security team identified suspicious activity within the network systems.
### Lateral Movement
- **Details:** No specific details on lateral movement were provided in the announcement, but the scope was significant enough to cause an "ongoing network outage."
### Data Exfiltration/Impact
- **Details:** The primary observable impact was a confirmed "information security event" leading to an "ongoing network outage." The notice strongly suggests concern regarding potential customer data compromise, evidenced by warnings against phishing attempts targeting payment requests.
### Detection & Response
- **How it was discovered:** Erie Insurance’s information security team identified unusual network activity on Saturday, June 7.
- **Response actions taken:** The team took "immediate action to respond to the situation to safeguard our systems and data" and has continued to implement "protective action" since the discovery.
## Attack Methodology
*(Note: Specific technical stages (Persistence, Privilege Escalation, etc.) are not detailed in the public statement, so this section reflects high-level inferences based on the response.)*
- **Initial Access:** Indicated by detection of "unusual network activity."
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Implied, leading to a network-wide outage.
- **Collection:** Potential customer data compromise is implied by phishing warnings.
- **Exfiltration:** Not confirmed, but suspected due to security warnings.
- **Impact:** Network outage and confirmed security event.
## Impact Assessment
- **Financial:** Unknown, but the firm is a Fortune 500 business with nearly $4bn in revenue.
- **Data Breach:** Not confirmed, but the company is warning customers that attackers may attempt to solicit payments, implying potential access to customer contact or policy information.
- **Operational:** Significant. The company experienced an "ongoing network outage" affecting operations.
- **Reputational:** Moderate impact due to public notification of a security event and outage affecting millions of policyholders.
## Indicators of Compromise
- **Network indicators - defanged:** Unknown specific IPs/domains associated with the malicious infrastructure were shared publicly.
- **File indicators:** None provided.
- **Behavioral indicators:** Detection based on "unusual network activity."
## Response Actions
- **Containment measures:** "Immediate action [...] to safeguard our systems and data."
- **Eradication steps:** Ongoing protective actions implemented since detection date.
- **Recovery actions:** The system outage is ongoing at the time of reporting.
## Lessons Learned
- **Key takeaways:** The organization has a monitoring system capable of detecting "unusual network activity."
- **What could have been done better:** The initial vector and full extent of compromise remain unclear, suggesting a need for clearer communication regarding the root cause (if determined).
## Recommendations
- **Prevention measures for similar incidents:** Review and enhance network monitoring to quickly identify and isolate initial access points. Implement heightened scrutiny on external communications (e.g., mandatory MFA for sensitive portals) to mitigate secondary phishing campaigns targeting customers leveraging the public incident announcement.