Federal Contractor Sedgwick Hit by TridentLocker Ransomware

A ransomware gang struck one of the largest claims management providers serving federal agencies just hours before midnight on New Year's Eve. Sedgwick Government Solutions, a subsidiary providing services to the Department of Homeland Security, CISA, and Immigration and Customs Enforcement, confirmed it detected a cybersecurity incident on December 30, 2025.

The TridentLocker ransomware group claimed responsibility via its leak site on December 31, alleging it stole 3.4 gigabytes of data from the company's file transfer system. Sedgwick disclosed the breach on January 2 after completing initial incident response procedures.

What Happened

According to Sedgwick's statement, attackers compromised an "isolated file transfer system" used by the government solutions subsidiary. The company says there's no evidence that claims management servers were accessed, and client services continue without disruption.

The breach occurred around 11 PM on December 30. Within 24 hours, TridentLocker posted Sedgwick Government Solutions to its Tor-based leak site alongside alleged proof of the intrusion.

"Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation," a Sedgwick spokesperson told The Record.

Who Is Affected

Sedgwick Government Solutions handles claims and risk management for some of the most sensitive federal agencies in the United States:

• Department of Homeland Security (DHS)
• Immigration and Customs Enforcement (ICE)
• Customs and Border Protection (CBP)
• U.S. Citizenship and Immigration Services (USCIS)
• Department of Labor
• Cybersecurity and Infrastructure Security Agency (CISA)

The irony of CISA being a client of a breached contractor isn't lost on security professionals. The agency responsible for helping organizations defend against ransomware attacks now faces potential exposure through a third-party provider.

Beyond federal clients, Sedgwick Government Solutions also serves municipal agencies across all 50 states, the Smithsonian Institution, and the Port Authority of New York and New Jersey. The company's parent organization employs approximately 33,000 people worldwide and generates an estimated $4-5 billion in annual revenue.

Who Is TridentLocker

TridentLocker is a ransomware-as-a-service operation that emerged in late November 2025. The group follows the standard double-extortion playbook: encrypt systems first, then threaten to publish exfiltrated data if victims refuse to pay.

The group's leak site currently lists 12 confirmed victims since operations began November 11, 2025. Prior to Sedgwick, TridentLocker claimed responsibility for an attack on bpost, Belgium's national postal service, which confirmed suffering a data breach.

TridentLocker's targeting appears opportunistic rather than sector-specific, with victims spanning manufacturing, government, IT, and professional services. Geographically, the group has focused on North America and Europe, though victims in China and the UK have also appeared on its leak site.

For organizations unfamiliar with ransomware mechanics, TridentLocker operates the typical affiliate model where the core developers provide the malware and infrastructure while partners conduct the actual intrusions.

What Sedgwick Is Doing

The company emphasized that Sedgwick Government Solutions operates on segmented infrastructure separate from the broader Sedgwick business. No other Sedgwick systems or data were affected by the incident.

Sedgwick has notified law enforcement and is in direct contact with affected customers. The company hasn't disclosed whether any ransom demands were made or if payment is being considered.

"There is no evidence of access to claims management servers nor any impact on Sedgwick Government Solutions ability to continue serving its clients," the company stated.

Why This Matters

Federal contractors represent high-value targets for ransomware operators. Even when classified systems remain untouched, the data flowing through administrative and claims management systems can include sensitive personal information about government employees, claimants, and operational details.

This attack follows a pattern of threat actors targeting the government supply chain rather than agencies directly. Third-party vendors often have less rigorous security than the agencies they serve, creating attractive entry points for attackers seeking to profit from federal data.

The timing also raises questions. Attacking on New Year's Eve maximizes the window before detection and response. Security teams are skeletal during holidays, and decision-makers needed to authorize incident response may be unreachable. TridentLocker appears to understand this dynamic—the group emerged just weeks before the holiday season.

Organizations serving government clients should review their own exposure. If you're handling data on behalf of federal agencies, assume you're a target. Segmentation, like Sedgwick implemented between its government and commercial operations, can limit blast radius when attacks succeed.