Estes Express Says It Is Doing Well Post-Cyberattack

Executives Share Further Details About October Attack, Lessons Learned
Estes Express trucks
“Pretty much all of our business is back” following the attack, Estes Chief Operating Officer Webb Estes said in a video released to the media Nov. 15. (Estes Express Lines)

[Stay on top of transportation news: Get TTNews in your inbox.]

Executives from Estes Express Lines recently shared details and lessons learned about the company’s response after an October cyberattack hampered the carrier’s operations.

“Pretty much all of our business is back,” Chief Operating Officer Webb Estes said in a video released to the media Nov. 15. While none of the less-than-truckload carrier’s core operations systems went down as a result of the attack, Chief Information Officer Todd Florence said it took 18-19 days before Estes Express was fully operational. Amid the crisis, the company restored communications at the operational level within four or five days and continued to move freight. Florence noted that customer systems were up in seven or eight days — at which point Estes Express could take on and quote new business.

Webb Estes said that the Richmond, Va.-based company would not be sharing revenue figures from “before, during or after” the attack. As a privately owned company, it is not required to do so. However, the company said it is doing more business now than it was at this point 12 months ago.

Estes Express ranks No. 14 on the Transport Topics Top 100 list of the largest for-hire carriers in North America. It ranks No. 5 on the less-than-truckload sector list.

Todd Florence


Estes Express’ systems came under attack in the first couple of days of October. The attack first came to light when the company noticed “outside activity on our network” on Oct. 1, said Florence, adding that the company’s first response was to push the theoretical big red button and pull all network connectivity. Estes Express had GuidePoint Security engaged with the problem within 90 minutes of that inkling. The company had its cybersecurity partner check what was affected, what was not and what needed to be done.

Florence said several of the company’s systems were unaffected, which allowed a swifter-than-expected recovery. For example, some of the company’s operational systems are separate from some of the communications systems, and none of the company’s financial or human resources systems saw direct impacts. It was a little bit of “dumb luck in some spots” that helped out with the quick recovery, he said.

Estes Express was also helped by a good endpoint detection and response platform that protected most of the company’s systems as well as immutable backups in those areas that needed to be restored, so multiple systems could be restored at the same time, Florence said.

RELATED: Trucking Grapples With Evolving Cybersecurity Threats

What also helped Estes Express was that the company did not have any shareholders to talk to because it is private and did not have any banks to talk to because it is debt free, said Webb Estes, adding that such a privileged position allowed him to spend some time each day talking to customers.

Webb Estes


Being honest with customers was a must and a big win, he said.

Letting customers know Estes Express was dealing with a cyberattack changed the responses, Florence said. He said he was on the receiving end of an outpouring of support from the technology community that was “a little bit overwhelming.”

Florence said he heard from peers across the industry who said they were dealing with similar threats and issues.

“This isn’t a singular event,” he said. “For anyone that thinks that their systems are overly secure, and this can never happen to you, unfortunately, it’s become a when not an if.


How can you start your own trucking business? We introduce you to a seasoned trucking business owner who transformed a simple idea into a thriving enterprise. Tune in above or by going to  

“There’s a lot of bad actors out there. In the industry, they call them ‘threat actors.’ They are targeting any vulnerability they can find, regardless of how good your systems are and your security is. Defense is a lot harder than offense.”

However, there were mistakes made as the company fought back against the attack that others could learn from, the executives said.

“Bringing systems up in the wrong order. Or announcing that all of our [application programming interfaces] were up, and we go ‘what about these three over here?’ Some of that kind of sort of stuff that happened throughout,” Florence said.

Florence said the company wanted to share best practices with its peers and also where it got it wrong. “It really is an us versus them [when it comes to hackers and cybercriminals], as opposed to trying to play a corporate game of ‘gotcha’ with one another,” he said.

Want more news? Listen to today's daily briefing above or go here for more info

The company wants to move away from legacy APIs, Webb Estes said. During the recent attack, it had multiple shipment tracking and other APIs rather than just a standardized option.

“I almost felt like we could get up in 24 hours, but part of that process is you’re also trying to make sure that when you come back up, you’re coming back clean and secure,” he said. “We cut off our terminals from having access to us for a short period of time. Did we need to? Time will tell.”