What Happened
Claims management giant Sedgwick confirmed a ransomware attack targeting Sedgwick Government Solutions, a subsidiary providing claims and risk management services to US federal agencies including the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. The TridentLocker ransomware group disclosed the attack on New Year’s Eve and claimed to have exfiltrated 3.4 gigabytes of data from a file transfer system at the subsidiary.
Sedgwick stated the attack was limited to an isolated file transfer system and did not reach core claims management servers or the parent company’s broader network. Law enforcement was notified and impacted customers are being contacted. Sedgwick Government Solutions’ operations continued without disruption throughout the incident. Read the full report from SecurityWeek.
Why This Matters for Canadian Organizations
Sedgwick operates in Canada through its broader claims and risk management business, serving insurers, employers, and government entities. The attack on its government-facing subsidiary follows an established threat pattern: ransomware groups increasingly target the administrative and support layer of government rather than agencies directly. This approach is effective because contractors often hold sensitive operational data — claims records, personal health information, financial transactions — without the same security controls applied to government networks themselves.
For Canadian public sector suppliers and government contractors, this incident is a concrete warning. Federal and provincial agencies in Canada rely on third-party claims administrators, benefits managers, and service providers who handle protected data under frameworks such as PIPEDA and the Privacy Act. A breach at one of these firms triggers breach notification obligations, potential regulatory scrutiny from the Office of the Privacy Commissioner, and reputational damage severe enough to end contracts.
The TridentLocker group’s use of a file transfer system as the initial intrusion point also echoes the Clop ransomware campaigns against Fortra GoAnywhere and MOVEit in prior years. Managed file transfer and secure FTP platforms remain high-value targets for ransomware operators looking for a beachhead into sensitive data without penetrating core infrastructure.
What to Do
Organizations running managed file transfer platforms — including GoAnywhere, MOVEit, Cleo Harmony, or equivalent tools — should audit internet-exposed instances and confirm patch currency. Vendors handling government data at any level should review data minimization practices: file transfer systems holding sensitive records longer than operationally necessary create unnecessary exposure. Incident response retainers and tabletop exercises specific to contractor breach scenarios are worth prioritizing if you operate in the public sector supply chain. Log access to file transfer platforms and set alerts on unusual outbound data volumes — the 3.4 GB exfiltration in this case was detectable with basic DLP controls.
