On November 19, 2025, WEL Companies Inc., a transportation and logistics provider, disclosed a data breach exposing the personally identifiable information (PII) of at least 122,960 individuals in the U.S. The incident was traced back to March 28, 2025, when unauthorized threat actors later identified as the RansomHub ransomware group acquired 189 GB of company data, including names, dates of birth, Social Security numbers, and driver’s license/government-issued ID numbers. The group threatened to publish the stolen data on the dark web, escalating risks of identity theft, financial fraud, and privacy violations.The breach was detected on January 31, 2025, but confirmation of PII exposure occurred only in November 2025, delaying response efforts. While the full scope remains under investigation, initial reports confirm impacts in Maine (515 residents) and New Hampshire (592 residents). WEL Companies secured its network, engaged cybersecurity experts, and offered free identity monitoring (via Kroll) to affected individuals. The company also notified state Attorney Generals' offices (California, Maine, New Hampshire) and established a dedicated assistance line for queries.The breach’s severity stems from the large-scale PII exposure, ransomware involvement, and potential for long-term fraud risks, though no immediate financial or operational disruptions were reported.
Source: https://www.claimdepot.com/data-breach/wel-companies-2025
TPRM report: https://www.rankiteo.com/company/wel-companies-wisconsin-express-lines-
"id": "wel1792417112025",
"linkid": "wel-companies-wisconsin-express-lines-",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 122960,
'industry': 'Transportation and Logistics',
'location': 'United States',
'name': 'WEL Companies Inc.',
'type': 'Private Company'}],
'customer_advisories': ['Review breach notices from WEL Companies.',
"Enroll in Kroll's identity monitoring.",
'Monitor accounts for suspicious activity.',
'Contact assistance line for questions.'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 122960,
'personally_identifiable_information': True,
'sensitivity_of_data': "High (includes SSNs, driver's license "
'numbers, government IDs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-01-31',
'date_publicly_disclosed': '2025-11-19',
'description': 'On Nov. 19, 2025, transportation and logistics provider WEL '
'Companies Inc. reported a data breach exposing the personally '
'identifiable information (PII) of at least 122,960 '
'individuals in the U.S. The breach was attributed to the '
'RansomHub ransomware group, which claimed to have obtained '
'189 GB of data and threatened to publish it on the dark web. '
'The exposed PII includes names, dates of birth, Social '
"Security numbers, and driver's license or government-issued "
'ID numbers, posing risks of identity theft and financial '
'fraud.',
'impact': {'brand_reputation_impact': 'High (due to large-scale PII exposure '
'and dark web publication threat)',
'data_compromised': ['Names',
'Dates of Birth',
'Social Security Numbers',
"Driver's License Numbers",
'Government-Issued ID Numbers'],
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential (pending state notifications and '
'regulatory scrutiny)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (189 GB of '
'data)',
'high_value_targets': ['PII Databases']},
'investigation_status': 'Completed (as of 2025-11-12)',
'motivation': ['Financial Gain', 'Data Theft', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Enhanced Security Measures '
'(unspecified)']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'RansomHub'},
'recommendations': ['Sign up for free identity monitoring services (Kroll).',
'Monitor financial accounts and credit reports for '
'identity theft signs.',
'Consider placing fraud alerts or credit freezes with '
'major credit bureaus.',
'Be cautious of phishing attempts (unsolicited '
'emails/phone calls).'],
'references': [{'source': 'WEL Companies Inc. Breach Notice (Mail)'},
{'date_accessed': '2025-11-19',
'source': "Maine Attorney General's Office"},
{'date_accessed': '2025-11-19',
'source': "New Hampshire Attorney General's Office"}],
'regulatory_compliance': {'regulatory_notifications': [{'agency': 'Attorney '
'General of '
'California',
'date': '2025-11-19'},
{'agency': 'Attorney '
'General of '
'Maine',
'date': '2025-11-19'},
{'agency': 'Attorney '
'General of '
'New '
'Hampshire',
'date': '2025-11-19'}]},
'response': {'communication_strategy': ['Mail Notifications to Affected '
'Individuals (started 2025-11-18)',
'Dedicated Assistance Line '
'(844-354-9425, Mon-Fri 9:00 a.m. - '
'6:30 p.m. ET)',
"Disclosure to Attorney Generals' "
'Offices (California, Maine, New '
'Hampshire)'],
'containment_measures': ['Network Secured Immediately'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['Enhanced Security Measures '
'Implemented'],
'third_party_assistance': ['Cybersecurity Experts (unspecified)',
'Kroll (identity monitoring '
'services)']},
'stakeholder_advisories': ['Dedicated assistance line for affected '
'individuals (844-354-9425).',
'Free identity monitoring services (Kroll) offered '
'to all affected.'],
'threat_actor': 'RansomHub',
'title': 'WEL Companies Inc. Data Breach (2025)',
'type': ['Data Breach', 'Ransomware Attack']}