IT distributor Ingram Micro is notifying over 42,000 individuals that their sensitive personal data, including Social Security and passport numbers, was stolen during a July 2025 ransomware attack. Although the company restored its systems within a week, the Safepay ransomware group later leaked several terabytes of stolen employee and applicant records online.
Major IT products and services distributor Ingram Micro recently began notifying approximately 42,521 individuals regarding a data breach tied to a ransomware attack that occurred in early July 2025. The security incident forced the company to proactively take various systems offline to limit the spread of the intrusion, which caused significant service outages across its global operations for several days. After working to contain the threat and secure its network, the company successfully restored its affected systems and resumed normal business activities in all regions by July 9.
A subsequent forensic investigation revealed that unauthorized third parties gained access to internal file repositories between July 2 and July 3. During this window, the hackers managed to exfiltrate a variety of sensitive documents primarily related to employment and job applications. The company has since confirmed that the stolen files contained highly confidential information such as full names, dates of birth, Social Security numbers, and passport details. Additionally, driver’s license numbers and other government-issued identification data were among the records compromised during the brief period of unauthorized access.
In formal notification letters sent to the Maine Attorney General and the impacted individuals, the company detailed the specific categories of data that were exposed. To mitigate the potential for identity theft or financial fraud, Ingram Micro is offering those affected two years of complimentary credit monitoring and identity protection services. The firm has advised recipients to remain vigilant against suspicious activity and to take advantage of the security resources provided in the wake of the breach.
While the official notice did not explicitly name the threat actors involved, cybersecurity analysts have linked the event to the Safepay ransomware group. In July, the group added Ingram Micro to its dark web leak site and claimed to have successfully downloaded 3.5 terabytes of proprietary data from the company's servers. The group’s public claims aligned with the timeline of the outages and the subsequent investigation findings shared by the distributor in its regulatory filings.
By early August, the Safepay group moved to make the stolen data publicly available for download on the internet. The decision to release the files suggests that Ingram Micro declined to pay the ransom demanded by the cybercriminals to prevent the data from being leaked. This incident highlights the ongoing risks faced by large-scale IT infrastructure providers and the aggressive tactics used by ransomware organizations to pressure victims into making payments after successful data exfiltration.