Information technology distributor Ingram Micro Inc., a global provider of technology products and supply chain services, disclosed that a ransomware attack in July 2025 exposed personal data of about 42,521 individuals, according to a filing with the Maine Attorney General’s Office. The company’s notification letters to affected people say the incident involved unauthorised access to internal files that contained sensitive information.
The cybersecurity incident was detected on 3 July 2025. In response, Ingram Micro took parts of its network offline to contain the threat and began an investigation with the help of external experts. Personal information accessed by the attackers included names, dates of birth, government-issued identification numbers such as Social Security numbers, passport numbers, and driver’s license numbers, as well as certain employment-related details.
The ransomware attack also caused outages across the company’s internal systems and customer portals at the time. Ingram Micro restored affected services by early the following week after implementing containment and recovery measures. Although the company did not publicly identify the responsible threat actor in its regulatory filing, cybersecurity reporting from shortly after the attack linked the incident to the ransomware group SafePay, which claimed to have stolen 3.5 TB of data and listed Ingram Micro on its darknet leak site.
Ingram Micro’s disclosure indicates that the breach primarily affected employee and job applicant records, although the notification letters do not specify the impact on partner or customer data. The company is offering potentially impacted individuals services that include free credit monitoring and identity protection for a period following the incident.
Ransomware attacks often combine data theft with encryption of corporate systems to increase leverage, enabling attackers to threaten publication of stolen files if demands are not met. In the Ingram Micro case, the posting of data on illicit forums soon after the July 2025 incident suggested the attackers intended to apply extortion pressure, even if a ransom payment was not publicly confirmed.