Logistic company Forward Air suffered from a ransomware data breach

Forward Air ransomware data breach evil corp cybercrime gang

Forward Air, logistic company that offers surface shipping, suffered a data breach from a ransomware attack that resulted in the exposure of its employees’ personal information and granted access to the attackers. 

The cybercrime group “Hades” was reported as the attacker against Forward Air last December 2020. The logistic company was forced to shut down its network, which disrupted their business by releasing shipments to be transported. An SEC filing provided by Forward Air stated that a freight revenue amount of $7.5 million less than load (LTL) was lost due to their need to shut down its electronic data interfaces with clients temporarily. 


The recent data breach against Forward Air is likely to be conducted by the Cybercrime gang, Evil Corp.


According to studies made by security researchers, the Evil Corp cybercrime gang was likely to be the one who assailed Forward Air and hid under other ransomware names like Hades as they performed the attack. The threat actors created a Twitter account as a part of the attack, which they declared to use in leaking the stolen data against Forward Air. Nonetheless, the threat actors have never revealed any data on the said Twitter account. 

After a year past the attack, Forward Air has revealed that employees’ personal information was indeed exposed due to the ransomware data breach.

The logistic company’s notification towards its employees stated that they identified suspicious activity on their computer systems last December 15, 2020. They quickly implemented an investigation into this suspicious activity to learn the scope and nature of the situation. Eventually, it was determined that particular Forward Air systems were exposed to access around November and December of last year.

Unidentified threat actors may have stolen the data included in the exposed system. These data consist of employees’ names, birthdays, residential addresses, social security numbers, passport numbers, bank account numbers, and more. 

Even though there has been no record of these exposed employee data being exploited, the logistic company offered the affected people one-year access to the myTrueIdentity credit monitoring service to ensure their safety. Moreover, all affected employees must continue to monitor any suspicious activities related to the details of their exposed data, such as the possibility of being used for phishing attacks. 

About the author


Leave a Reply