TL;DR: A ransomware gang called TridentLocker claims to have breached Sedgwick Government Solutions, a contractor that handles claims and risk management for ICE, Customs and Border Protection, USCIS, CISA, the Coast Guard, and at least 20 other federal agencies. The attackers say they stole 3.4GB of data and have already started publishing portions online. CISA and DHS aren't commenting.
The Attack
On New Year's Eve, while most people were celebrating, the TridentLocker ransomware gang was busy claiming a major government contractor as their latest victim [1].
Sedgwick, a massive claims administration company, confirmed on January 6, 2026 that its government-focused subsidiary (Sedgwick Government Solutions) suffered a cyberattack [2].
According to TridentLocker, they walked away with 3.4 gigabytes of documents. They've already started posting samples on their leak site.
Who Uses Sedgwick Government Solutions?
Here's where it gets concerning. Sedgwick Government Solutions provides claims and risk management services to more than 20 federal agencies, including [1][2]:
- Immigration and Customs Enforcement (ICE)
- Customs and Border Protection (CBP)
- U.S. Citizenship and Immigration Services (USCIS)
- Cybersecurity and Infrastructure Security Agency (CISA)
- Department of Homeland Security (DHS)
- U.S. Coast Guard
- Department of Labor
- Department of Commerce
The company also serves municipal agencies across all 50 states, the Smithsonian Institution, and the Port Authority of New York and New Jersey [1].
Claims management typically involves handling workplace injuries, disability claims, and other personnel matters. That means employee records, medical information, and sensitive personal data.
Who Is TridentLocker?
TridentLocker is a new ransomware-as-a-service operation that surfaced in November 2025 [3].
They use the standard double-extortion playbook: encrypt your systems, steal your data, then threaten to publish if you don't pay.
Their victim list is small but growing. Before Sedgwick, they claimed attacks on:
- Belgian postal service bpost
- LGM Holdings
- Noment Inc.
- IQS
They've listed about a dozen victims total on their Tor-based leak site. Going after a federal contractor serving immigration enforcement agencies is a major escalation.
Sedgwick's Response
Sedgwick is downplaying the damage. A spokesperson told reporters [2]:
"Sedgwick Government Solutions is segmented from the rest of our business, and no wider Sedgwick systems or data were affected."
They claim there's "no evidence of access to claims management servers" and that the breach only affected an "isolated file transfer system."
The company says it engaged external cybersecurity experts and notified law enforcement.
Government Agencies: No Comment
Both CISA and DHS declined to comment on the breach [1].
The irony here is thick. CISA (the Cybersecurity and Infrastructure Security Agency) is literally the federal agency responsible for protecting critical infrastructure from cyberattacks. And one of their own vendors just got popped.
There's no word on what specific data was exposed, which agencies might be affected, or whether any employee or claimant information was compromised.
Why This Matters
This isn't just another ransomware story. It's a reminder that government surveillance agencies have sprawling contractor networks, and those contractors have contractors.
ICE's surveillance capabilities rely on a web of private companies. When those companies get breached, the data they handle doesn't stay safe.
Claims management systems often contain:
- Social Security numbers
- Medical records
- Home addresses
- Employment history
- Disability information
If TridentLocker has this data on federal employees, including those working for immigration enforcement, the implications are serious.