Exela Technologies Inc., a Texas-based business process automation firm, filed for Chapter 11 bankruptcy in March 2025, seeking to restructure more than $1 billion in liabilities across dozens of its subsidiaries. Among them is DocuData Solutions, L.C., a company that specializes in managing and processing sensitive documents, exactly the kind of operation most vulnerable to a cybersecurity breach.

Public records and related litigation suggest an alleged 2022 ransomware incident played a significant role in Exela’s financial downturn. The breach, attributed by outside reports to the Hive ransomware group, allegedly led to data exposure, operational disruption, and mounting remediation costs that strained the company’s already precarious finances.

Legal and operational ripple effects

Court documents for DocuData and its affiliates reference categories of liabilities consistent with breach-related costs, including breach remediation contracts, potential claims under the federal Stored Communications Act (18 U.S.C. § 2701), and data privacy disputes listed in the statement of financial affairs. While Exela’s official petitions do not elaborate on the breach’s origin or scope, the company has publicly acknowledged that its remediation efforts continued into 2024, including a $35 million contract for breach notification and mitigation services.

One client, Aflac, sued Exela for nearly $900,000 in alleged losses stemming from what it described as a ransomware-related system failure. The fallout affected several of Exela’s operations and, by extension, companies like DocuData Solutions, which maintained contract work involving sensitive government and legal documentation.

DocuData’s own bankruptcy filings confirmed the company faced thousands of creditors and held more than $500 million in consolidated assets, yet liabilities topped $1 billion—leaving it in a restructuring process that underscores the high cost of a breakdown in information security.

Could this have been prevented?

Cybersecurity experts point to prevention-first strategies as a way to stop such incidents before they start. Danny Jenkins, CEO of Florida-based cybersecurity company ThreatLocker, said that based on the ransomware tactics typically attributed to Hive—including the use of phishing emails and PowerShell scripts—multiple security layers could have blocked or contained the threat.

“If attackers used scripts to escalate privileges or move laterally across the network, controls like ThreatLocker Ringfencing™ and Application Allowlisting would likely have prevented the behavior outright,” Jenkins said.

The following tools could have made the breach more difficult or even impossible:

• Application Allowlisting, which blocks any unauthorized software or executables—even if launched by a legitimate user.

• Ringfencing, which controls inter-application behavior, such as stopping Microsoft Word from calling PowerShell.

• Storage Control, which could prevent exfiltration of sensitive files to external or network storage, unless explicitly permitted.

• Elevation Control, designed to restrict privilege escalation, limits attackers’ ability to run malware with administrative rights.

Jenkins emphasized that threat actors often rely on predictable pathways that can be closed with proactive controls.

A cautionary tale for data-centric businesses

Exela’s bankruptcy encompasses more than 50 affiliates and is one of the largest corporate restructurings involving a U.S. business process outsourcing firm in recent years. The inclusion of DocuData, which deals in sensitive data for legal, government, and healthcare clients, highlights how especially vulnerable information-rich operations are when trust and uptime are compromised.

The long-term outcome of the Chapter 11 process remains uncertain. But if the alleged breach and its financial consequences are any indication, the case may set a precedent for how courts, creditors, and customers view cyber risk as a factor in corporate solvency.

Want to learn how ThreatLocker protects environments?

Schedule a demo to see how a prevention-first approach can lock down your most valuable assets

‍