42,000 Impacted in Ingram Micro Ransomware Attack

Ingram Micro has confirmed that a ransomware attack last July caused a data breach affecting over 42,000 people.

With more than 23,500 employees, more than 161,000 clients, and reported net sales of $48 billion in 2024, Ingram Micro is one of the biggest business-to-business service providers and technology distributors in the world.

The company said that the attackers obtained documents containing a variety of personal information, including Social Security numbers, in data breach notification letters that were mailed to those impacted by the incident and submitted with Maine’s Attorney General.

The IT giant had disclosed that they had discovered a cybersecurity incident involving a few of our internal systems on July 3, 2025. We promptly started looking into the nature and extent of the problem. “Based on our investigation, we determined that an unauthorised third party took certain files from some of our internal file repositories between July 2 and 3, 2025. The affected files include employment and job applicant records that contain personal information such as name, contact information, date of birth, government-issued identification numbers (such as Social Security, driver’s licence, and passport numbers), and certain employment-related information (such as work-related evaluations).”

Employment and job candidate records with names, dates of birth, Social Security numbers, passport numbers, and driver’s licence numbers were among the compromised files.

For the threat actor, 3.5 gigabytes of data were purportedly stolen by the SafePay ransomware organisation, which claimed responsibility. In August 2025, they made the material public, implying that Ingram Micro had declined to pay the ransom.

The attack in July 2025 also caused a significant outage that brought down Ingram Micro’s website and internal systems, leading the company to request that workers work from home.

Ingram Micro confirmed that the attackers used ransomware on its systems after BleepingComputer initially revealed on July 5 that the SafePay ransomware gang was responsible for the attack, even though the company has not yet connected the breach to a particular threat group.

Three weeks later, the cybercrime organisation added the IT firm to its dark web leak page and claimed to have stolen 3.5TB of documents.

Since emerging as a private organisation in September 2024, SafePay has expanded their leak site to include hundreds of victims. But since only those who don’t pay are mentioned, the true number of victims is probably higher.

This ransomware operation is particularly well-known for its double-extortion strategies, which involve stealing confidential papers, encrypting victims’ devices, and threatening to post the stolen files online if a ransom is not paid.

SafePay has been one of the most active ransomware organisations since the beginning of 2025, gradually filling the void left by LockBit and BlackCat (ALPHV) malware.

A representative for Ingram Micro has not yet responded to the members of the press on the request for additional information about the attack and confirmation that the breach was caused by the SafePay ransomware.

For those who are impacted, Ingram Micro is providing free credit monitoring for a period of 24 months with services for identity protection.

After putting systems offline to contain the initial attack, the firm completely resumed its worldwide operations by July 9, 2025. For resources and updates, those who are impacted should visit the Ingram Micro Information Page.