By Jason Martin
The costs are piling up from a three-year running cybersecurity threat that shows no signs of abating as it spreads to more industries.
The likely culprit: a hacking collective known as “Scattered Spider.” The playbook: get into a company’s internal systems via hacked employee credentials, cause havoc, demand ransom.
Just recently, Jaguar Land Rover was targeted in an attack by the group. The company hasn’t been able to make cars for a month as a result. Before that, Qantas reported that annual executive bonuses would be cut by 15% after Scattered Spider targeted them in a July cyber attack.
Clorox sued its help desk provider, Cognizant Technology Solutions, for $380 million in damages, alleging that Cognizant improperly reset passwords for Scattered Spider hackers posing as employees. A few weeks earlier, Whole Foods supplier United Natural Foods estimated it lost up to $400 million in sales when hackers disrupted systems. Three years ago, casinos were hit.
This is real money, and a real threat that most companies are not well prepared to guard against. Today, hackers don’t just bust into corporate systems, they log in — like thieves walking in through open household doors. Almost nine of 10 (88%) of breaches via basic web applications involve use of stolen credentials, indicates Verizon’s 2025 Data Breach Investigations Report.
In the case of Scattered Spider, culprits do such things as ask for password resets, change phone numbers tied to multifactor authentication solutions, or add phone numbers to reset passwords, and more.
The rise of AI and AI agents make securing identities even more critical. As AI agents spread, they’re a new class of “non-human identities” that vastly increase the attack surface. As with most cybersecurity threats, Scattered Spider changes tactics all the time and we are seeing indications of AI use supporting and augmenting their social engineering tactics.
Putting up speed bumps
When modeling approaches to increase resilience against their attacks it’s best to think of the worst case, which is: “assume breach.” Then evaluate how quickly you could detect attacks matching their approach and what your teams would do. While keeping them out is an admirable goal, it is very difficult since they exploit the processes you’ve set up to support your own enterprise users or contractors. The most realistic goal is to set up speed bumps to slow hackers down so they’re stopped before doing much damage.
Steps to bolster defenses include:
Teamwork. Most companies have “security teams.” A lot of companies now have “identity teams.” Identity refers to employees — or AI agents — with access to company assets via passwords and other credentials.
Given the rise of identity-based cybersecurity threats, it’s imperative that these teams fuse or work more closely together to find shared solutions. Company assets are now also highly fragmented, with some in the cloud, some on-premise and some via software-as-a-service providers like Slack. There’s also shadow IT and shadow AI, like ChatGPT, that employees use that security or identity people may not know they’re using. Every organization needs to be clear on who owns what from a security and identity perspective so that guidelines, policies and solutions are more airtight.
Awareness. How exposed are you? How much “identity sprawl” do you have? Identity sprawl occurs over time, just like data sprawl. New hires get digital identities and access to company data. In almost all cases when it comes to the cloud, identity access management policies are too lenient, research finds, which means employees have access to things they don’t really need — which can add security risk. There’s also risk when people leave a company, voluntarily or not, if digital identities don’t get quickly or properly shut down.
With Scattered Spider, we’re seeing criminals access things that real employees haven’t opened in more than a year. Identity management is not one and done. Identities have a life cycle and need to be managed through the whole thing.
Observability. How well can you see what’s going on inside your company? An attack via a network sets off bells and whistles. But when an “employee” logs in who’s not an actual employee, there’s no bell or whistle. Instead, you want to detect threats via signals of suspicious and malicious activity.
Basic Training/Testing. Nearly 70% of organizations recently surveyed “believe their employees lack critical cybersecurity knowledge.” This needs to change because employees, while one of your biggest cybersecurity risks, will also be one of your best lines of defense. Of course, training must extend to third-party vendors.
In its lawsuit, Clorox alleges that a hacker got a multifactor authentication reset by simply telling the help desk worker that the MFA wasn’t working and that he or she was “on my old phone.” Beyond training, test vendor performance so that you’re not blindsided if they’re not doing what they’re supposed to be doing.
Like good insurance
No doubt, companies will eventually take the right steps to curb Scattered Spider-like attacks. The bad news is that cybercriminals will adjust to launch new tactics. Companies that make cybersecurity defense a priority will be like people who have good insurance. They will never totally prevent risk, but they’ll mitigate damage.
Jason Martin is a co-founder and co-CEO of Permiso Security, a leader in identity security, providing advanced solutions to help organizations detect and respond to threats targeting human and nonhuman identities across cloud environments. His extensive background includes leadership roles at FireEye, where he contributed to product strategy and engineering. Martin is also an active investor and adviser, supporting various startups in the security domain, and has authored multiple publications that contribute to the understanding of security analytics and risk assessment.
Related Crunchbase query:
Illustration: Dom Guzman
Stay up to date with recent funding rounds, acquisitions, and more with the
Crunchbase Daily.