OnTrac data breach exposed more than 40,000 personal records, files show
Breach between April 13–15, 2025 accessed Social Security numbers and other sensitive data, notification letters say
A data breach at U.S. delivery company OnTrac exposed sensitive information for more than 40,000 individuals in mid-April, according to documents filed with the Maine attorney general.
The company said the incident occurred between April 13 and April 15, 2025. Breach notification letters filed in Maine state records indicate attackers accessed personal information, including Social Security numbers and other data that the letters said could be used to commit identity theft and fraud.
OnTrac operates 64 facilities in 31 states and runs four major sorting centers nationwide, according to the filings. The company was acquired by LaserShip in 2021 and reports annual revenues of roughly $1.5 billion, making it a significant regional parcel carrier for e-commerce and other deliveries.
The notification letters were submitted under Maine’s data breach reporting requirements and were shared with individuals whose information was affected. The filings said the exposed data could enable identity theft and fraud but did not detail how the attackers gained access or whether the company had identified the perpetrators.
Cybersecurity experts say that notification filings typically contain limited information at first, and that more technical details often emerge only after formal investigations are completed. The OnTrac documents did not specify whether law enforcement or federal agencies had been notified or were investigating the incident.
The breach adds to a series of high-profile incidents this year in which large volumes of consumer information were exposed. Companies handling e-commerce and logistics have increasingly been targeted because of the volume of personal and financial data they retain on customers and shippers.
OnTrac’s filings did not disclose whether the company would offer credit monitoring or identity protection services to affected individuals, or when notification letters were mailed. State breach-notification laws vary, but companies typically are required to notify affected consumers and state authorities when sensitive personal information is compromised.
The company and its parent, LaserShip, did not immediately provide additional details in the filings about remediation steps, the scope of affected systems, or whether customers or business partners beyond those named in the Maine filings were affected. The incident underscores ongoing concerns about the security of consumer data in the logistics and delivery sector and the potential for such breaches to enable financial fraud.
Individuals concerned about exposure of personal information typically are advised to review account statements, consider placing fraud alerts or credit freezes with major credit bureaus, and monitor accounts for unauthorized activity. State authorities and federal agencies may provide additional guidance as investigations proceed.