What Happened
On December 31, 2025, the TridentLocker ransomware group listed Sedgwick Government Solutions (SGS) as a victim on its dark web leak site, claiming to have exfiltrated 3.39 GB of documents. Sedgwick publicly disclosed the cybersecurity incident on January 4, 2026. SGS is a subsidiary of Sedgwick, a multinational claims management corporation operating in 80 countries with over 33,000 employees.
Why This Matters
Sedgwick Government Solutions provides claims and risk management services to major U.S. federal agencies. Their clients include the Department of Homeland Security, Immigration and Customs Enforcement, Customs and Border Protection, U.S. Citizenship and Immigration Services, Department of Labor, CISA (Cybersecurity and Infrastructure Security Agency), the Smithsonian Institution, and the Port Authority of New York and New Jersey.
The compromise of a contractor with this level of federal access raises concerns about potential exposure of government personnel and operational data.
How They Got In
The attackers compromised a file transfer system at the SGS subsidiary. TridentLocker posted samples of the exfiltrated documents on its Tor-based leak site as proof of compromise, following the standard double extortion model where they encrypt systems and threaten to publish stolen data unless a ransom is paid.
Company Response
Sedgwick stated that it immediately activated its incident response protocols with external cybersecurity experts. The company emphasized that SGS is segmented from the rest of Sedgwick’s business, and no wider Sedgwick systems or data were affected. There was no evidence of access to claims management servers, and the subsidiary’s ability to serve clients was not impacted. Law enforcement was notified, and impacted customers are being informed.
CISA and DHS did not respond to requests for comment regarding potential exposure of government data.
About TridentLocker
TridentLocker is a ransomware-as-a-service operation that emerged in late November 2025. The group uses standard double extortion tactics combining encryption with data leak threats and identifies itself as a data broker in addition to a ransomware operator. They primarily target North America and Europe across diverse sectors including manufacturing, government, IT, and professional services. TridentLocker has listed approximately a dozen victims on its leak site, including IQS, LGM Holdings, Noment Inc., and Belgian postal service Bpost.
Timeline
TridentLocker emerged in late November 2025. On December 31, 2025, they listed SGS as a victim on their leak site. Sedgwick publicly disclosed the incident on January 4, 2026.
What Organizations Should Do
Organizations with federal contractor relationships should ensure subsidiary and partner networks are properly segmented from parent infrastructure. Auditing file transfer systems for secure configuration and access controls is essential. Organizations should monitor for new ransomware groups, as TridentLocker went from emergence to high-profile victim in approximately five weeks. Reviewing incident response plans for scenarios involving government data exposure and verifying that federal contract clauses like DFARS and CMMC security requirements are met by all subsidiaries is also critical.