Sedgwick, one of the world’s largest claims management companies, confirmed a cybersecurity incident at its government-focused subsidiary on January 4, 2026, after the TridentLocker ransomware group claimed responsibility for the attack on New Year’s Eve.
Incident overview
| Attribute | Details |
|---|---|
| Victim | Sedgwick Government Solutions |
| Parent company | Sedgwick |
| Threat actor | TridentLocker ransomware group |
| Data claimed | 3.4 GB |
| Attack date | December 31, 2025 |
| Disclosure date | January 4, 2026 |
| Affected system | Isolated file transfer system |
| Core systems affected | No (per Sedgwick) |
Timeline
| Date | Event |
|---|---|
| December 31, 2025 | TridentLocker claims attack on leak site |
| January 4, 2026 | Sedgwick confirms incident |
| January 2026 | Law enforcement notified |
| Ongoing | Investigation continues |
The attack’s timing—New Year’s Eve—follows the pattern of ransomware groups targeting holidays when security staffing is reduced.
What was targeted
TridentLocker claims to have stolen 3.4 gigabytes of data from Sedgwick Government Solutions, the company’s federal contractor subsidiary.
Sedgwick’s statement
“Following the detection of the incident, we initiated our incident response protocols and engaged external cybersecurity experts through outside counsel to assist with our investigation of the affected isolated file transfer system. Importantly, Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected.”
| System type | Status |
|---|---|
| Isolated file transfer system | Affected |
| Claims management servers | No evidence of access |
| Main Sedgwick network | Not affected |
| Client service capability | Maintained |
Federal agency clients at risk
Sedgwick Government Solutions provides claims and risk management services to major federal agencies:
| Agency | Services provided |
|---|---|
| Department of Homeland Security (DHS) | Claims administration |
| Immigration and Customs Enforcement (ICE) | Risk management |
| Customs and Border Protection (CBP) | Workers’ compensation |
| Citizenship and Immigration Services (USCIS) | Claims processing |
| Department of Labor (DOL) | Benefits administration |
| CISA | Risk management services |
| Smithsonian Institution | Claims services |
| Port Authority of NY/NJ | Risk management |
The company also provides services to municipal agencies in all 50 states.
The irony of a ransomware attack affecting a CISA contractor underscores that no organization is immune.
Data at risk
Given Sedgwick’s role in claims processing, compromised data could include:
| Data type | Examples | Risk level |
|---|---|---|
| Personal identifiers | Names, SSNs, addresses | Critical |
| Medical information | Injury details, treatment records | Critical |
| Payment data | Bank accounts, payment history | High |
| Employment records | Salary, job history, benefits | High |
| Government program data | Benefits claims, eligibility | High |
Federal employee workers’ compensation claims contain particularly sensitive information combining PII, medical records, and employment details.
About Sedgwick
| Metric | Value |
|---|---|
| Employees | 33,000+ |
| Countries | 80 |
| Clients | 10,000+ |
| Fortune 500 coverage | 59% |
| Government agency clients | 20+ |
| Claims processed annually | Millions |
Sedgwick handles workers’ compensation, property and casualty claims, disability and leave management, and government services administration.
About TridentLocker
TridentLocker is a ransomware-as-a-service (RaaS) operation that emerged in late November 2025.
Group profile
| Attribute | Details |
|---|---|
| First observed | November 11, 2025 |
| Model | Ransomware-as-a-Service (RaaS) |
| Tactic | Double extortion (encryption + data leak) |
| Confirmed victims | 12 (as of early January 2026) |
| Target regions | North America, Europe, UK, China |
| Target sectors | Manufacturing, government, IT, professional services |
TridentLocker victim timeline
| Date | Target | Sector | Region | Data claimed |
|---|---|---|---|---|
| November 11, 2025 | First leak site post | N/A | N/A | Group emergence |
| November 2025 | bpost | Postal/logistics | Belgium | Undisclosed |
| November 2025 | GuestTek Interactive Entertainment | Hospitality IT | Canada | Customer data |
| November 2025 | Typecase | E-commerce/retail | UK | Business records |
| December 2025 | Manufacturing firm (unnamed) | Manufacturing | Germany | Production data |
| December 2025 | IT service provider | Technology | Netherlands | Client data |
| December 31, 2025 | Sedgwick Government Solutions | Government contractor | USA | 3.4 GB |
TridentLocker technical characteristics
| Attribute | Details |
|---|---|
| Encryption algorithm | AES-256 + RSA-2048 hybrid |
| File extension | .tl0ck3d |
| Ransom note | DECRYPT_INSTRUCTIONS.html |
| Payment method | Bitcoin, Monero |
| Communication | Onion-based leak site and negotiation portal |
| Affiliate split | 70/30 (affiliate/core team) |
The group’s rapid victim accumulation—12 confirmed in under two months—suggests either an experienced team operating under a new brand or aggressive affiliate recruitment.
Third-party risk implications
Claims administrators represent high-value targets because a single breach can impact thousands of organizations and millions of individuals.
Sedgwick’s reach
| Factor | Implication |
|---|---|
| 59% Fortune 500 coverage | Single breach potentially affects majority of large US companies |
| Federal employee data | Spans multiple government agencies |
| Claims data sensitivity | Medical, financial, personal combined |
| State and municipal clients | All 50 states exposed |
Attackers increasingly target service providers for this leverage—one breach yields data from hundreds of client organizations.
Response
Sedgwick’s actions
| Action | Status |
|---|---|
| Incident response protocols | Initiated |
| External cybersecurity experts | Engaged via outside counsel |
| Law enforcement notification | Complete |
| Affected customer notification | In progress |
| Network segmentation verification | Confirmed effective |
Government response
CISA and DHS declined to comment on the breach.
Recommendations
For organizations using Sedgwick
| Priority | Action |
|---|---|
| High | Monitor for breach notifications from Sedgwick |
| High | Review data sharing agreements—understand what was shared |
| High | Assess potential exposure—what information could be compromised |
| Medium | Prepare incident response—be ready to notify affected individuals |
| Medium | Watch for targeted phishing using stolen data |
| Ongoing | Track investigation updates |
For all organizations with third-party claims processors
| Control | Purpose |
|---|---|
| Vendor security assessments | Evaluate provider security posture |
| Data minimization | Limit what you share with vendors |
| Contractual protections | Require breach notification clauses |
| Segmentation verification | Confirm vendors segment client data |
| Insurance review | Ensure coverage for third-party breaches |
| Due diligence updates | Regular reassessment of vendor risk |
For claims processing organizations
| Priority | Action |
|---|---|
| High | Review network segmentation effectiveness |
| High | Audit file transfer system security |
| High | Implement holiday security staffing plans |
| Medium | Test incident response during reduced staffing |
| Ongoing | Monitor emerging ransomware groups |
Context
The Sedgwick breach illustrates the concentration of risk in claims administration. Organizations outsource claims processing for efficiency, but that consolidation creates single points of failure that attackers can exploit for maximum impact.
Federal contractor risk
Federal contractors have faced repeated ransomware campaigns:
| Year | Target | Impact |
|---|---|---|
| 2025 | Conduent | 10+ million individuals’ data exposed |
| 2025 | Chemonics | USAID operations affected |
| 2026 | Sedgwick Government Solutions | Federal agency claims data at risk |
The pattern suggests ransomware groups actively target the federal contractor supply chain.
TridentLocker infrastructure analysis
Leak site characteristics
| Feature | Implementation |
|---|---|
| Hosting | Tor hidden service |
| Design | Professional, countdown timers |
| Victim display | Grid layout with data previews |
| Negotiation | Separate portal per victim |
| Updates | Regular (2-3 new victims weekly) |
Communication style
TridentLocker’s leak site posts follow a consistent pattern:
- Initial listing with company name and brief description
- Countdown timer (typically 7-14 days)
- Data sample release (1-5% of claimed data)
- Full publication if ransom not paid
- Archives maintained indefinitely
Indicators of professionalism
| Indicator | Assessment |
|---|---|
| Consistent branding | Logo, color scheme across communications |
| Professional language | Error-free English in ransom notes |
| Quick response times | 1-4 hour average on negotiation portal |
| Payment tracking | Automated confirmation systems |
| Data organization | Structured folders in leak releases |
These characteristics suggest an organized operation rather than opportunistic actors, potentially including members from previously disrupted ransomware groups.
Holiday timing analysis
TridentLocker’s attack on New Year’s Eve follows documented ransomware patterns:
| Holiday period | Attack increase | Reason |
|---|---|---|
| Thanksgiving weekend | 40%+ | Reduced staffing |
| Christmas/New Year | 55%+ | Extended vacation periods |
| Summer holidays (July/Aug) | 25%+ | IT staff vacations |
| Federal holidays | 30%+ | Government contractor vulnerability |
CISA and FBI joint advisory (November 2025) specifically warned organizations about increased ransomware activity during the December 2025-January 2026 holiday period.
Sedgwick’s network segmentation appears to have limited the blast radius of this attack—a positive example of defense-in-depth working as intended. However, the 3.4GB of claimed data from a “file transfer system” could still contain highly sensitive federal employee information.