Timeline: How Estes responded to a cyberattack

This audio is auto-generated. Please let us know if you have feedback.

Estes Express Lines President and COO Webb Estes described October as “a rainy month” for the Richmond, Virginia-based LTL carrier as it slogged through a cyberattack that affected systems for weeks.

While it kept moving freight, Estes shut down its company email accounts, phones, website and other capabilities in response to the attack. That resulted in temporary freight diversions to its competitors, before it successfully restored systems and won back business.

“We are going to look back on this as something we learn from and something that only makes us stronger,” Webb Estes promised.

The trucking company took pains to brief customers, employees and the public through each step of its recovery.

The timeline below, based on the company’s videos, social media posts and other updates, shows how the attack and Estes’ response unfolded over the course of the month.

Oct 1. - Estes discovers ‘outside actor activity’ on its network

The carrier shuts down its systems and implements its incident response plan, contacting GuidePoint Security within 90 minutes of the shutdown. "We pulled all network connectivity” in an attempt to protect employees, customers and partners, CIO Todd Florence later says.
Oct. 2 - Estes reports 'outage in our core IT infrastructure'

The systems shutdown in response to the cyberattack caused the outage, but the carrier doesn't say so — yet. It asks customers to reach out to account managers, "preferably by text" and creates new Microsoft 365 company email accounts.
Oct. 3 - Estes discloses the cyberattack, in a strategy shift

Frustrated company executives decide the typical corporate strategy of saying as little as possible isn't serving customers or employees, according to President and COO Webb Estes. The carrier publicly announces the cyberattack around 7:30 a.m.
Oct. 4 - Estes shares an online customer contact form

This is a key interim step, with the carrier's phones, email addresses, website and other capabilities down, executives later say.
Oct. 6 - Webb Estes provides the first of a series of video updates

"I want to make it clear that Estes is still very much open for business, and we are picking up and delivering freight," the president and COO says in a video shared on social media.
Oct. 12 - Company phone lines and email accounts are restored

The company lists updated contact information, as well as alternative means of contacting a carrier representative, on its website, Webb Estes says in another video update.
Oct. 18 to 19 - Essentially all systems are restored

“'All' is always a relative word, but essentially all of our systems were back up and online,” Florence later says. “We were 18 or 19 days before what we would consider fully operational. And let's be honest: The customer systems were up in seven to eight days. ... The things that took longer were from a prioritization perspective. We had to be able to bring in freight and bring in orders before we had to invoice them.”
Oct. 24 - All business functions are restored

"I'm thrilled to report we've completely restored our systems capabilities," the COO says in a video update. "With the additional security measures we've put in place, we are back stronger than ever and ready to serve you."
Oct. 27 and 30 - Competitors report temporary freight diversions

ABF Freight and XPO executives attribute bumps in freight volumes to the cyberattack on Estes. But executives say much of the diverted freight has returned to Estes.
Nov. 6 - Estes provides more details on the cyberattack to media

The company releases a nearly 44-minute, video-recorded conversation between its chief operating officer and chief information officer to Trucking Dive and other media outlets in response to questions. "Pretty much all of our business is back," Webb Estes says.