Scattered Spider’s Use of Data Brokers

Reconnaissance, Targeting, Threats

One of today’s most dangerous threat groups is using data brokers to build detailed victim profiles, impersonate employees, and breach organizations across multiple industries.

The hacker collective known as Scattered Spider is once again dominating headlines with a wave of high-profile cyberattacks that span multiple industries. According to threat intelligence sources, the group has pursued a sector-by-sector strategy, recently hitting retail organizations like Marks & Spencer, moving on to insurance firms, and now targeting the aviation and transportation sectors. This surge in high-profile attacks has brought renewed attention on who Scattered Spider is and how they operate.

The group’s operations rely heavily on detailed PII, including employee names, job titles, dates of birth, SSN fragments, and phone numbers, exploited for social engineering, SIM swapping, and doxxing threats.

Multiple investigations from 2022 through 2025 suggest that Scattered Spider leverages commercial data broker services as part of their reconnaissance efforts, using this information to identify high-value targets, impersonate employees, defeat identity checks, and intimidate victims with accurate personal details.

The extensive research and data collection behind Scattered Spider’s campaigns is evident in both what they know about potential victims and the high success rate in their attacks.

As the group appears to be stockpiling infrastructure to target many organizations across different industries, technical defenses must be paired with proactive data removal and user awareness.

Scattered Spider exploits personal data and human trust for organizational compromise. Companies should respond by removing sensitive details from data brokers, improving verification processes, and educating those on the front lines (IT support staff and employees) to take away Scattered Spider’s biggest advantages.

Read our full article on this: Scattered Spider’s Use of Data Brokers: Reconnaissance, Targeting, and Threats

Social Engineering is the Top Reported Attack Vector of 2025

The latest ITRC breach data shows phishing, smishing, and BEC, fueled by exposed PII, are the leading drivers of compromise in 2025.

The Identity Theft Resource Center’s 2025 H1 Data Breach Report has just been released, and social engineering once again topped the list of reported attack vectors.

Among the report’s key takeaways:

• Phishing, smishing, and BEC were responsible for 46.5% of all breaches where the attack vector was disclosed (251 breaches).
• AI-powered phishing attacks continue to rise, becoming more sophisticated and harder to detect.
• Supply chain attacks are accelerating: 79 such breaches affected 690 entities and 78.3 million individuals.
• Lack of transparency persists: 69% of breach notices failed to disclose the attack vector (1,191 out of 1,732).
• Financial services and healthcare remain top targets, with 387 and 283 breaches, respectively.

As social engineering grows more sophisticated and scalable with AI in the mix, organizations must go beyond training and detection. Reducing the availability of employee PII online is necessary for preventing these attacks.

Read the full report here: ITRC H1 2025 Data Breach Report – ITRC

The ransomware attack that hit Marks & Spencer earlier this year has now been confirmed to stem from a sophisticated impersonation-based social engineering attack, and it’s part of a broader campaign linked to Scattered Spider.

From BleepingComputer:

“M&S confirmed [on July 8] that the retail outlet’s network was initially breached in a ‘sophisticated impersonation attack’ that ultimately led to a DragonForce ransomware attack.”

“In our case the initial entry, which was on April the 17th, occurred through what people now call social engineering. As far as I can tell that’s a euphemism for impersonation,” explained M&S chairman Archie Norman to the UK Parliament.

“They just didn’t walk up and say will you change my password. They appeared as somebody with their details. And part of the point of entry also involved a third-party.”

While the DragonForce ransomware was successfully deployed at M&S, Co-op narrowly avoided encryption by shutting systems down in time. The UK’s National Crime Agency (NCA) later arrested four suspects—ages 17 to 20—believed responsible for the coordinated attacks on M&S, Co-op, and Harrods. Although the NCA did not name Scattered Spider, the age range, tactics, and nationalities align with known profiles of the group.

It has been estimated that the attack on M&S will result in a $402,000,000 (£300 million) impact on M&S’s profits.

After striking UK retailers, Scattered Spider’s campaign evolved, shifting to U.S. insurance firms, and later to aviation and transportation companies, including a suspected breach at Qantas that affected 5.7 million customers.

The attack on M&S was the result of Scattered Spider having access to exposed personal details that facilitated the impersonation of an employee. It’s a stark example of why minimizing your organization’s personal data exposure is a business-critical defense.

Read more:

• M&S confirms social engineering led to massive ransomware attack
• Marks & Spencer breach linked to Scattered Spider ransomware attack
• Four arrested in UK over M&S, Co-op, Harrods cyberattacks