Ingram Micro suffers data filtration of 42,000: ansomware and a power outage that paralyzed operations

Last July, a computer intrusion into Ingram Micro, one of the world's largest B2B distributors and service providers, triggered not only a ransomware attack but also a data leak that has ended up affecting more than 42,000 people. The company, with tens of thousands of employees and thousands of customers all over the world, recognized that cybercriminals were able to extract sensitive documents from their internal repositories according to official notifications submitted to the Maine Attorney General's Office and sent to those who were committed.

In these communications - published by the Maine Attorney General's Office - Ingram Micro explains that he detected the intrusion on 3 July 2025 and that the attackers accessed files between 2 and 3 July. Exfiltered data include job and candidate records with personal information such as names, contact details, birth dates and government identification numbers, including Social Security numbers, driving licences and passports. Official documentation can be found in the notification published by the Maine Public Prosecutor's Office: notification from the Maine Public Prosecutor's Office and in the government file viewer: public registration.

The incident was not limited to the loss of information: the attack caused a massive fall in the company's internal systems and its website, forcing the organization to ask its employees to work from home while recovering operations. Such operational blackouts enhance the real cost of a cyber attack: interruptions, loss of productivity and reputational damage, in addition to the risk to people whose data are exposed.

Although Ingram Micro has not publicly confirmed the link with a particular group, specialized media began to point to the band known as SafePay just days after detection. BleepingComputer He reported the first signs of the use of ransomware and, weeks later, researchers observed how the attackers included the company in a leak portal where they claimed to have stolen 3.5 TB of documents.

SafePay emerged in late 2024 and, in a matter of months, has become one of the most active operators of the Ransomware criminal ecosystem. Your modus operandi is double extortion: first copy sensitive data and then figure systems, demanding rescue and threatening to publish information if it is not paid. An analysis of the growth and tactics of this group can be found in specialized studies, such as the Acronis report: SafePay: the rising threat.

The case of Ingram Micro highlights several worrying trends that are marking corporate cybersecurity in 2025. On the one hand, the attacks are often directed at suppliers and distributors with long customer chains and partners, because compromising these nodes multiplies the impact. On the other hand, Ransomware groups are professionalized: they organize filtration portals, negotiate rescue and exploit human and technical failures quickly.

For those affected by the escape of Ingram Micro, the immediate consequences are clear: risk of identity theft, fraud attempts and identity suplantations. In the face of an exposure of such sensitive identification numbers and personal data, urgent measures include monitoring credit, considering freezing credit reports, reviewing bank alerts and distrusting suspicious posts or calls that request additional information. Official resources for victims of identity theft and practical recommendations are available at sites such as IdentityTheft.gov.

From the corporate point of view, incidents of this caliber force to strengthen controls on several fronts: segmentation of networks, isolated and verified backup, multi-factor authentication in critical accesses, patch management and employee awareness programmes. It is also essential to prepare for incident response and transparency with regulators and affected, both for legal responsibility and for maintaining the confidence of customers and partners. The United States Agency for Infrastructure and Cybersecurity (CISA) maintains practical guides on how to mitigate and respond to Ransomware attacks: CISA: Ransomware.

Beyond technical measures, there is an open debate on the management of extortion: to pay or not to pay a ransom. Paying can stop the immediate publication of data and restore services, but it feeds a criminal market and does not guarantee the removal of filtered copies. Many organizations and Governments therefore recommend investing in prevention and resilience rather than giving in to demands.

The Ingram Micro incident also has regulatory and contractual implications. Companies acting as technology intermediaries handle large volumes of employee and client data; a failure in their security can trigger reporting obligations, fines and responsibilities to affected customers. Accountability and clarity in communication after an incident are key to limiting legal and reputational damage.

Finally, this episode recalls that cybersecurity is a collective problem. Criminals respect no borders or business sizes: they attack opportunity vectors. The response requires sustained investment, collaboration between the private sector, authorities and cybersecurity providers, and an organizational culture that prioritizes the protection of sensitive data. To follow the evolution of the case and access the official information of the company, the corporate website of Ingram Micro is available: ingrammicro.com and the coverage and analysis of specialized press.

In the meantime, persons who have received notifications from the company should take the recommended preventive measures and keep a record of communications about the incident; companies, for their part, have before them the opportunity - and the obligation - to review and harden their defenses before the next attack strikes again.