The dispatch software vendor pushed an update. It also pushed a backdoor.

The vendor and the update. The firm had used the same transportation management system for nine years. The vendor was a mid-sized US software company with a SOC 2 Type 2, a vendor risk questionnaire on file, and a long track record of clean updates. On a routine Wednesday, the vendor pushed version 7.4 of the admin tool to every customer environment. The update was digitally signed by the vendor. It installed without incident.

What the firm did not know. Three weeks earlier, an attacker had compromised the vendor's build environment via a developer's stolen credentials. The attacker waited for the next release cycle and inserted a backdoor into the admin tool. When 7.4 went out, the backdoor went with it — signed, sealed, distributed to every customer in the vendor's installed base.

Weeks one to four — quiet recon. The backdoor allowed the attacker to authenticate as the TMS service account, which had broad access on the firm's network because the TMS itself needed to read from accounting, HR (for driver records), and the customer contract database. The attacker pulled dispatch logs going back two years, the full active customer contract file, the driver master list with Social Security numbers and CDL data, and the firm's rate sheet history.

Weeks five and six — exfiltration. The attacker exfiltrated approximately 14 gigabytes of data over a two-week window, in small chunks during low-traffic hours, disguised as TMS replication traffic to the vendor's cloud. The firm's EDR did not flag it because the traffic looked exactly like normal TMS behavior — that was the point of compromising the TMS vendor.

Week eight — the competitor's call. On a Tuesday morning, a competing logistics firm's owner called the affected firm. He had been browsing a dark-web threat intelligence feed his MSSP shared with him, and he had recognized the affected firm's customer names and rate sheets in a fresh dump. He passed along the link as a professional courtesy. Within an hour the firm was on the phone with breach counsel and the FBI.

Days 1 to 4 — the vendor goes silent. The firm contacted the TMS vendor. The vendor confirmed they were aware of the compromise — they had been investigating for eleven days — and had not yet notified customers. The firm asked when notification was coming. The vendor's general counsel said they were "working on language." The firm's contract had no breach notification SLA.

Week 2 — anchor customer notifications. The firm pre-empted the vendor and notified its own customers directly. Two of the top five shippers — one a Fortune 500 retailer, one a regional grocery chain — both sent formal breach inquiries within 48 hours. Both began evaluating alternative carriers within a week.

Week 6 — DOT inquiry. Because the dump included driver personal data and Hours-of-Service records, the FMCSA opened an inquiry into the firm's data handling practices. What started as an inquiry became a full audit when the agency discovered the firm had no documented vendor risk management program.

Month 6 — the non-renewal letters. The Fortune 500 retailer did not renew at all. The grocery chain renewed at 40 percent reduced volume, citing "risk diversification." Combined, the two represented approximately $8M of trailing ARR. The DOT audit closed at month 14 with a corrective action plan and no penalty.

Day 1 — confirm and contain. We confirm the dump on the dark-web forum is real, scope what is there (customer names, contract terms, driver PII, rate sheets), and isolate the TMS environment from the rest of the network. We pull the TMS off the network while keeping operations running on manual dispatch workflows.

Days 2 to 7 — full scope forensics. We work backwards from the dump to identify the exact moment of first compromise, every system the TMS service account touched, and every piece of data that left the environment. We coordinate with the vendor — through counsel — to get details of the build pipeline compromise, since the vendor's evidence drives the customer notification scope.

Week 2 — pre-empt vendor disclosure. The vendor is going to disclose eventually. The firm's customers are going to find out. We notify customers directly with what is known, in plain language, with breach counsel on every word. The owner's name goes on the letter; the message is short, factual, and gives customers a contact and a timeline. We do not wait for the vendor.

Weeks 3 to 8 — DOT response and vendor risk program. We build the vendor risk register the firm did not have: every vendor, what data they touch, what notification SLA exists, when the next attestation is due. We segment the network so no future TMS or ERP compromise can reach the accounting system or HR system. We respond to FMCSA through counsel.

Months 2 to 9 — customer retention and contract renegotiation. The owner spends months on the road meeting with shippers in person. We provide the technical evidence package — what was breached, what the new controls are, what notification SLA we now contractually require from every vendor — so the owner can answer the question every shipper asks: prove it will not happen again.

Ongoing. Quarterly vendor risk reviews. Annual vendor attestation cycle. Network segmentation tested quarterly. Dark-web monitoring for the firm's customer names and rate-sheet fingerprints.