Sedgwick Government Solutions Confirms Cyberattack
Claims administration firm Sedgwick has confirmed a cybersecurity incident at its government-focused subsidiary, Sedgwick Government Solutions, after the TridentLocker ransomware group publicly claimed responsibility for stealing approximately 3.4 GB of sensitive data.
Incident Overview
| Attribute | Details |
|---|---|
| Victim | Sedgwick Government Solutions |
| Parent Company | Sedgwick Claims Management Services |
| Threat Actor | TridentLocker ransomware group |
| Data Stolen | 3.4 GB (claimed) |
| Discovery | December 31, 2025 (dark web leak site) |
| Public Disclosure | February 2026 |
What is Sedgwick?
Sedgwick is a leading claims and productivity management company providing:
- Workers' compensation claims administration
- Disability and leave management
- Property and casualty claims processing
- Government benefits administration
Sedgwick Government Solutions
The affected subsidiary specifically handles:
- Government employee benefits (federal, state, local)
- Workers' compensation for public sector employees
- Disability claims for government workers
- Sensitive personal and medical information
Attack Timeline
| Date | Event |
|---|---|
| Unknown | Initial compromise of Sedgwick Government Solutions network |
| Dec 31, 2025 | TridentLocker posts Sedgwick on dark web leak site |
| Early Feb 2026 | Sedgwick begins internal investigation |
| Feb 12, 2026 | Sedgwick publicly confirms cybersecurity incident |
What Data Was Stolen?
While Sedgwick has not disclosed specifics, TridentLocker claims the 3.4 GB includes:
Likely Data Types
- Personal Identifiable Information (PII) — Names, addresses, Social Security numbers
- Medical records — Disability and workers' comp claim details
- Financial information — Bank account details for benefit payments
- Employment records — Government employee data
- Internal documents — Contracts, operational procedures
Potential Impact
If the claims are accurate:
- Thousands of government employees could be affected
- Identity theft risk from exposed SSNs and personal data
- Medical privacy violations (HIPAA implications)
- Fraud risk from stolen financial account information
TridentLocker Ransomware Group
Who is TridentLocker?
TridentLocker is a relatively new ransomware-as-a-service (RaaS) operation that emerged in late 2025. Their tactics include:
- Double extortion — Encrypt systems AND steal data
- Dark web leak sites — Publish victim data if ransom not paid
- Targeted attacks — Focus on high-value organizations
- Affiliate model — Multiple threat actors use TridentLocker tools
Known TridentLocker Victims
- Sedgwick Government Solutions (Feb 2026) — 3.4 GB stolen
- Healthcare organizations (Jan 2026) — Multiple small targets
- Manufacturing firms (Dec 2025) — Supply chain attacks
How the Attack Likely Occurred
Initial Access
Typical TridentLocker attack vectors:
- Phishing emails with malicious attachments
- Compromised Remote Desktop Protocol (RDP) credentials
- Exploited VPN vulnerabilities
- Third-party vendor compromise
Attack Chain
- Initial Compromise — Phishing or credential theft
- Privilege Escalation — Gain admin access
- Lateral Movement — Spread across network
- Data Exfiltration — Steal 3.4 GB of sensitive files
- Ransomware Deployment — Encrypt systems (if deployed)
- Extortion — Demand payment or publish data
Impact on Sedgwick
Business Consequences
- Regulatory scrutiny — HIPAA, state data breach laws
- Client trust erosion — Government agencies may reconsider contracts
- Legal liability — Class action lawsuits from affected individuals
- Incident response costs — Forensics, legal, notification expenses
Regulatory Risks
- HIPAA violations — Medical records exposure ($100-$50,000 per violation)
- State breach notification laws — Required to notify affected individuals
- Government contract compliance — May violate federal cybersecurity requirements
- SEC disclosure (if material impact)
Sedgwick's Response
According to Sedgwick's statement:
"Sedgwick recently became aware of a cybersecurity incident involving unauthorized access to certain systems of Sedgwick Government Solutions. We immediately launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement."
Actions Taken
- Engaged cybersecurity experts — Third-party incident response firm
- Notified law enforcement — FBI, potentially CISA
- Launched investigation — Forensic analysis of compromised systems
- Implementing safeguards — Enhanced security measures
Notable: Sedgwick has not yet confirmed:
- The volume of data stolen
- Whether systems were encrypted
- If ransomware was deployed
- How many individuals are affected
What Affected Individuals Should Do
If you are a Sedgwick Government Solutions claimant or government employee:
Immediate Actions
- Monitor accounts — Watch for unauthorized transactions
- Enable fraud alerts — Contact credit bureaus (Equifax, Experian, TransUnion)
- Freeze credit — Prevent new accounts from being opened
- Change passwords — If you had a Sedgwick online account
- Watch for phishing — Scammers may use stolen data for targeted attacks
Long-Term Protection
- Sign up for credit monitoring — Sedgwick may offer free monitoring services
- File taxes early — Prevent tax refund fraud with stolen SSNs
- Review medical bills — Watch for fraudulent medical claims
- Report suspicious activity — Contact Sedgwick and law enforcement
Lessons for Organizations
This breach highlights critical security gaps in third-party claims administrators:
Key Takeaways
- Third-party risk — Government agencies must audit vendor security
- Data minimization — Only collect and retain necessary data
- Encryption — Protect data at rest and in transit
- Incident response readiness — Have IR plans for ransomware scenarios
- Monitoring and detection — Detect exfiltration before encryption
Current Status
Sedgwick's investigation is ongoing. The company has not yet:
- Disclosed the number of affected individuals
- Confirmed whether ransom was paid
- Announced whether data was published on the dark web
TridentLocker's dark web leak site shows Sedgwick as a victim, with sample data posted as proof. The full dataset has not been published, suggesting Sedgwick may still be in negotiations or the ransom was paid.
Broader Implications
For Government Contractors
This breach underscores the risk of supply chain attacks on government services:
- Contractors hold vast amounts of sensitive government employee data
- Many lack the security resources of federal agencies
- Attackers increasingly target third parties to access government data
For Ransomware Evolution
TridentLocker represents the industrialization of ransomware:
- New RaaS groups emerge monthly
- Barriers to entry are lowering
- Double extortion is now standard
- Leak sites add reputational pressure
Sources
- SecurityWeek — Sedgwick Confirms Cyberattack
- Dark Web Informer — Ransomware Attack Update February 2026