A ransomware attack on technology distributor Ingram Micro in July compromised the personal data of more than 42,000 employees and job applicants, the company has confirmed.
A filing with the attorney general’s office in the US state of Maine puts the number of affected individuals at 42,521.
In letters it is sending now the firm says the breach involved employment and recruitment records.
Ingram Micro, one of the world’s largest business-to-business technology providers, said attackers accessed internal file repositories over a two-day period in early July.
“On July 3, 2025, we detected a cybersecurity incident involving some of our internal systems,” the company said.
An investigation later found that an unauthorised third party had taken files between 2nd and 3rd July.
The stolen documents include a wide range of sensitive personal information, such as names, contact details, dates of birth and government-issued identification numbers.
These include Social Security numbers, as well as driver’s licence and passport details, according to the company.
Some employment-related information, including work evaluations, was also affected.
Ingram Micro said it acted quickly after discovering the intrusion, taking some systems offline and introducing additional security measures.
“Promptly upon detecting the issue, we began taking steps to contain and remediate the unauthorised activity, including proactively taking certain systems offline and implementing other mitigation measures,” the company said.
It also brought in external cybersecurity specialists and notified law enforcement authorities.
The July attack caused widespread disruption across the company, temporarily taking down its internal systems and website. Employees were asked to work from home as the firm attempted to contain the incident.
Although Ingram Micro partially resumed order processing within days, limiting disruption compared with other attacks last year, the impact was significant.
Some customers criticised the company’s communication during the incident, saying they struggled to find timely updates about the disruption.
Ingram Micro has not publicly identified the group responsible, but confirmed that the attacker deployed ransomware on its systems.
Media reports in July claimed the SafePay ransomware group was behind the breach. The group later claimed responsibility on its dark web leak site, saying it had stolen 3.5 terabytes of company data.
The group said it had published the stolen files, though the download link provided did not work.
SafePay emerged in late 2024 and has since claimed hundreds of victims. Security experts say the real number is likely higher, as many organisations that pay ransoms are never publicly listed.
One of SafePay’s earliest high-profile attacks, which helped bring the group to wider attention, targeted UK telematics firm Microlise.
The company disclosed a cyber incident in October 2024, with further details emerging the following month when SafePay claimed it had stolen 1.2 terabytes of data and issued a ransom demand with a deadline of less than 24 hours.
Since the start of 2025, the group has become one of the most active ransomware operations, filling the gap left by the takedown of major gangs such as LockBit and BlackCat.