More than six months after a ransomware attack, Ingram Micro has announced how many people have been affected. The data breach affected more than 42,000 individuals, including employees and job applicants, whose personal data was stolen between July 2 and July 3, 2025.
On July 3, 2025, the IT distributor discovered that an unauthorized third party had stolen files from internal storage systems. The company went offline that day and immediately launched an investigation with cybersecurity experts. Systems were also proactively taken offline, and the police were called in.
The stolen data contains sensitive information such as names, contact details, dates of birth, and government-issued identification numbers. This includes social security numbers, driver’s license numbers, and passport numbers. Work-related information, such as performance reviews, was also part of the haul. The specific data affected per person varies.
SafePay ransomware group claimed responsibility
The attack was carried out by the SafePay ransomware group, a relatively young but fast-growing cybercriminal organization. SafePay claimed to have stolen 3.5 terabytes of data and posted Ingram Micro on their darknet site. By May 2025, the group had already carried out 70 attacks, accounting for 18 percent of all measured compromises in that month.
According to their own statements, the attackers used GlobalProtect, Ingram Micro’s VPN solution, as their access route. The company is said to have implemented security configurations incompletely, giving criminals ample time to explore the systems.
Ingram Micro is offering two years of free credit monitoring and identity protection services to affected employees and job applicants. The company advises those affected to remain vigilant by checking their bank statements and using free credit reports.
Months of silence after major impact
The attack had major consequences at the time. Ingram Micro was completely unavailable for several days, leaving managed service providers worldwide unable to access essential software and hardware licenses. Critical backup licenses were inaccessible, preventing many MSPs from serving their customers.
According to customers, Ingram Micro’s communication was inadequate at the time. Long queues for support and only automated email responses caused frustration. It was only after three days that the company confirmed that external access had been blocked and gradually began recovery.
More than six months later, the company has now announced the exact impact in a letter. The notification letter is dated January 16, 2026, while the attack took place in July 2025. For affected employees, this means they have been in limbo for months about the exact consequences.
Ingram Micro has indicated that, according to its current security policy, it could prevent such attacks. The company has implemented additional security and monitoring measures. Ingram Micro has not disclosed whether it actually paid ransom to SafePay.