Watch Now


Ransomware attack on Forward Air may have exposed sensitive employee data

Trucking company warns that Social Security and banking numbers among information at risk

Forward Air was hit in a ransomware attack in December. (Photo: Jim Allen/FreightWaves)

The devastating ransomware attack that hit Forward Air Corp. in December may have exposed sensitive personal information of current and former employees, according to data breach notices sent by the trucking giant.

The Tennessee-based firm sent letters to the attorney general offices in at least four states — California, Vermont, Montana and New Hampshire — on Sept. 24 as it began notifying the affected people. They warn that information including names, addresses, birthdates, and Social Security, driver’s license, bank account and passport numbers could have been “subject to unauthorized access” in November and early December.

The notices don’t explicitly refer to the December ransomware attack, which crippled Forward’s (NASDAQ:FWRD) systems and operations. But they state that the company uncovered the potential data exposure while investigating “suspicious activity” detected on its systems on or around Dec. 15 — the date that the company says it first became aware of the ransomware attack. 

“At this time there is no indication that anyone’s information has been subject to actual or attempted misuse,” Forward Chief Information Officer Jay Tomasello wrote in a letter being sent to affected people, which also offers free credit monitoring for a year. “Nevertheless we are informing you because your information was stored on our systems.”


It’s unclear how many people may have been affected. But a letter sent to the office of the New Hampshire attorney general said it includes current and former employees.

Hackers frequently linger inside companies’ systems for extended periods before deploying ransomware. In many cases, they steal data as added leverage against their victims, threatening to post or sell it if they don’t pay.

Ransomware victims may never know full extent of data compromised

Determining if data was stolen in a ransomware attack generally involves a painstaking forensic investigation. In cases where the attackers have covered their tracks, making that determination can prove challenging or even impossible. 

Complicating matters for ransomware attack victims: the varying disclosure requirements in each state and the risk of costly litigation brought on those affected by the data breaches.


Forward was attacked by a ransomware gang called Hades. Little was known about the group at the time, but the cybersecurity firm CrowdStrike subsequently concluded that Hades served as a front for the notorious Russia-based cybercriminal Evil Corp to evade U.S. sanctions.

A Forward Air spokesperson did not respond to FreightWaves’ requests for comment.

Read more

Click for more FreightWaves articles by Nate Tabak

Nate Tabak

Nate Tabak is a Toronto-based journalist and producer who covers cybersecurity and cross-border trucking and logistics for FreightWaves. He spent seven years reporting stories in the Balkans and Eastern Europe as a reporter, producer and editor based in Kosovo. He previously worked at newspapers in the San Francisco Bay Area, including the San Jose Mercury News. He graduated from UC Berkeley, where he studied the history of American policing. Contact Nate at [email protected].