Ingram Micro Confirms Ransomware Breach Affecting 42,000

Tech distribution giant Ingram Micro disclosed yesterday that a July 2025 ransomware attack compromised personal data belonging to 42,521 current and former employees. The SafePay ransomware group claimed responsibility, allegedly exfiltrating 3.5 terabytes of internal files.

With $48 billion in annual sales and over 23,500 employees, Ingram Micro serves as a critical link between technology vendors and the resellers, managed service providers, and businesses that purchase their products. The breach underscores how ransomware operators increasingly target supply chain chokepoints.

What Was Stolen

According to breach notification letters filed with Maine's attorney general, the compromised data includes:

• Names and contact information
• Dates of birth
• Social Security numbers
• Driver's license and passport numbers
• Employment-related information including work evaluations

The inclusion of performance reviews and evaluations goes beyond typical breach data. Attackers with access to HR files gain insight into personnel matters, compensation details, and potentially internal conflicts—information that could enable targeted social engineering.

Timeline of the Attack

The attack unfolded quickly:

July 2, 2025: Unauthorized access begins to Ingram Micro's internal file repositories

July 3, 2025: Ingram Micro detects the intrusion and begins incident response

July 4-5, 2025: Services go offline worldwide over the holiday weekend. Channel partners find websites down and cannot place orders

Late July 2025: SafePay posts Ingram Micro to their dark web leak site, claiming 3.5TB of stolen data

January 19, 2026: Ingram Micro files breach notification confirming 42,521 affected individuals

The six-month gap between attack and disclosure reflects the time required for forensic investigation and victim identification. But it also means affected employees spent half a year unaware their personal information—including government IDs—had been stolen.

Who Is SafePay?

SafePay emerged in September 2024 as a relatively quiet ransomware operation. The group has since grown into one of the more active RaaS operators, linked to over 200 victims across multiple sectors.

Security researchers have connected SafePay to the LockBit ecosystem, suggesting the group may have spun out after LockBit's February 2024 infrastructure seizure. If accurate, the operators brought experience and connections to their new venture.

SafePay favors double extortion: encrypting systems while threatening to publish stolen data. The 3.5TB theft from Ingram Micro fits this pattern. Whether Ingram paid, or SafePay published the data, hasn't been publicly confirmed.

Supply Chain Implications

Ingram Micro occupies a strategic position in the technology supply chain. The company connects over 1,500 vendors with 161,000+ customers—resellers and MSPs that rely on Ingram for product procurement, logistics, and services.

When Ingram's systems went down over July 4th weekend, downstream customers couldn't place orders or access their accounts. A prolonged outage could have cascaded through thousands of businesses dependent on the distribution channel.

This pattern echoes the Marquis Software breach that rippled through financial institutions, and the University of Phoenix breach that affected millions through a third-party compromise. Ransomware operators have learned that attacking infrastructure providers multiplies impact.

What Affected Employees Should Do

Ingram Micro is offering affected individuals identity monitoring services. Those who receive notification letters should:

1. Enroll in the offered monitoring as a baseline protection
2. Place fraud alerts with all three credit bureaus (Equifax, Experian, TransUnion)
3. Consider a credit freeze given that SSNs and government IDs were exposed
4. Monitor financial accounts for unauthorized activity
5. Be alert for targeted phishing that references specific Ingram details

The exposure of passport and driver's license numbers is particularly concerning. Unlike credit cards, government IDs cannot be easily replaced and have long-term value for identity fraud.

Why This Matters

The Ingram Micro breach illustrates how ransomware has evolved from opportunistic disruption to systematic data theft. The attackers didn't just encrypt systems—they exfiltrated terabytes of HR records over what appears to have been a multi-day intrusion.

For the 42,000+ affected employees, the consequences extend far beyond their employer. Their personal data—identifiers that can't be changed—now sits in criminal hands. The real cost of ransomware isn't paid by corporations. It's paid by the people whose information becomes collateral damage.