Ingram Micro says July ransomware attack exposed data of 42,521 employees and applicants

The envelope looked ordinary enough — a single sheet of paper, corporate letterhead, the kind of mail employees expect in January as tax forms start to arrive.

Instead, workers and job applicants tied to Ingram Micro found a different kind of notice inside this month: a disclosure that an “unauthorized third party” had accessed the technology distributor’s internal file repositories in early July, and that their names, dates of birth, Social Security numbers and, in some cases, driver’s license or passport numbers were among the records taken.

The letter, dated Jan. 16, marked the first time many of them learned they were personally caught up in a ransomware attack that had already rattled the global IT supply chain six months earlier.

Ingram Micro, one of the world’s largest technology distributors, has told state regulators that personal information for 42,521 people was exposed in a July 2025 cyberattack linked to the SafePay ransomware group. Most of those affected are current and former employees or job applicants.

The company disclosed the scope of the breach in recent filings with state attorneys general, including in Maine, where it reported that files accessed between July 2 and July 3 contained legally defined personal information. The filing lists Dec. 26, 2025, as the date Ingram Micro “discovered” that such data was involved and Jan. 16, 2026, as the start of consumer notifications.

The timing underscores a widening gap between when large companies acknowledge debilitating cyber incidents and when individuals whose data is swept up in those attacks are informed.

From global outage to personal fallout

Headquartered in Irvine, California, Ingram Micro sits at the center of the business technology world. The company posts annual revenue of about $50 billion and serves more than 160,000 customers in 57 countries, moving hundreds of millions of devices a year on behalf of vendors such as Apple, HP, Cisco and Microsoft.

That scale made the disruption in early July hard to miss.

On July 3 and 4, partners and managed service providers reported that Ingram Micro’s online ordering portals, including its Xvantage digital platform and Impulse license provisioning system, were unreachable. Some websites displayed maintenance messages. Resellers said they could not place or track hardware orders or adjust cloud subscriptions for their own customers.

Under mounting pressure, the company publicly acknowledged the incident on July 5, saying it had “recently identified ransomware on certain of its internal systems.”

“We promptly took certain systems offline, launched an investigation with the assistance of leading cybersecurity experts, and notified law enforcement,” the company said in a news release.

By around July 10, Ingram Micro told partners it had restored business operations globally.

A ransomware group calling itself SafePay later claimed responsibility on its leak site, saying it had stolen roughly 3.5 terabytes of data from Ingram Micro — a volume the company has not confirmed. Security outlets reported that ransom notes labeled “readme_SafePay.txt” appeared on affected systems and that the group threatened to publish stolen data if its demands were not met.

On an analyst call in August, Chief Executive Paul Bay acknowledged that “certain data was exfiltrated from our systems” during the attack. He said the company would notify individuals if it determined personal information was involved, in line with legal requirements.

Those determinations, Ingram Micro now says, came at the end of December.

What was exposed

In its notice to regulators and affected individuals, Ingram Micro said an investigation found that during the July 2–3 window, an unauthorized actor gained access to internal file repositories and took copies of some files. A subsequent review identified personal information in those records.

The types of data vary by person but can include names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, and information from employment or job application records. Some legal notices summarizing the breach also reference work-related evaluations.

The Maine filing lists 42,521 people as affected nationwide, including five residents of that state. The overall population is spread across multiple states and potentially countries, reflecting the company’s global workforce and hiring footprint.

So far there is no indication in public filings that consumer payment card data or broad end-customer records were part of this disclosure. Ingram Micro describes the exposed records as coming from internal employment and applicant files.

The company said it has no evidence that the personal information has been misused, but it is offering two years of free credit monitoring and identity theft protection through Experian to those notified.

“Ingram takes this incident and the security of the personal information in our care very seriously,” the notification letter states. It says the company has implemented “additional safeguards” in response to the attack, without specifying the measures.

An Ingram Micro spokesperson did not respond to questions about whether the company paid a ransom, what additional steps it has taken to secure its systems, or whether any of the data SafePay claimed to have stolen has appeared on criminal forums.

A fast-moving gang, a slow forensic grind

SafePay emerged in late 2024 and quickly became one of the most active ransomware groups in the world, according to security researchers. The gang favors a double extortion model: infiltrate a network, quietly copy out large volumes of data, then encrypt systems and demand payment both to restore access and to prevent the stolen files from being published or sold.

Investigators say SafePay often breaks in through remote access tools or virtual private network gateways, sometimes using stolen credentials. In Ingram Micro’s case, several outlets, citing people familiar with the probe, reported that the group may have exploited the company’s GlobalProtect VPN system, though Ingram Micro has not confirmed the initial access point.

For large organizations with sprawling file stores, it can take forensic teams weeks or longer to map which servers were touched, what data they held and who that data belongs to.

Under most U.S. state data breach laws, the clock for notifying individuals starts when a company determines that personal information, as defined in statute, was acquired by an unauthorized party — not necessarily on the date the attack was first detected.

Ingram Micro has told Maine regulators it made that determination on Dec. 26. The first batch of notification letters went out about three weeks later.

Legal and regulatory pressure builds

Even before the letters landed, plaintiffs’ attorneys were tracking Ingram Micro’s case closely. In recent days, multiple U.S. law firms have announced investigations or solicited potential clients for proposed class actions on behalf of affected employees and job applicants.

Those firms generally argue that Ingram Micro did not use reasonable security to protect highly sensitive workforce data and that victims now face an elevated risk of identity theft and fraud. They are also focusing on the fact that applicant data — including Social Security and passport numbers — may have been retained even for candidates who were not ultimately hired.

“Employers that collect and store Social Security numbers, driver’s license numbers, and passport information have a legal and moral obligation to keep that information safe,” one firm wrote in a public notice about the incident.

As of this week, no major class-action complaint had appeared in public court dockets, but such filings often follow soon after notice periods begin. Any lawsuits could seek damages for the cost of credit monitoring, time spent mitigating risk, and any fraudulent charges or accounts that appear.

Regulators may also take a deeper interest. Ingram Micro returned to public markets in 2024 and is now subject to Securities and Exchange Commission rules requiring timely disclosure of material cyber incidents. The company issued a press release about the ransomware attack in July but has not yet detailed the financial impact, if any, in periodic SEC filings. Future annual or quarterly reports could shed light on costs related to response, system restoration, insurance and potential litigation.

A critical node in a fragile chain

For the broader technology ecosystem, the Ingram Micro attack is another reminder of how a single breach can ripple outward.

Because distributors like Ingram sit between manufacturers and the resellers and service providers that assemble solutions for end customers, outages in their systems can delay everything from laptop purchases to cloud migrations. When a ransomware crew such as SafePay also walks away with troves of internal data, the risk profile extends beyond downtime to questions about what business, network or contract information might be in the stolen cache.

Ingram Micro’s public notices so far focus on internal personnel data. The company has not said whether any partner or customer configuration details or contracts were among the files SafePay claims to hold, and there is no independent confirmation that the touted 3.5 terabytes of data exist or have been leaked.

For the tens of thousands of people now watching their credit reports, those outstanding questions are largely academic. The systems outage that disrupted Ingram Micro’s global operations last summer has become, months later, a personal, long-term concern.

The company’s networks are back online. Its supply chain is moving again. But for employees and applicants whose Social Security and passport numbers were sitting on internal servers when SafePay broke in, the real recovery — if it comes — will stretch well beyond the two years of monitoring the company has offered.