Full Report
Maine filing confirms July attack affected 42,521 employees and job applicants Ingram Micro disclosed that a July 2025 ransomware attack compromised the personal data of tens of thousands of employees.…
Analysis Summary
# Incident Report: Ingram Micro July 2025 Ransomware Attack
## Executive Summary
In July 2025, Ingram Micro experienced a significant ransomware attack, likely conducted by the group SafePay, resulting in the exfiltration of personal data belonging to 42,521 employees and job applicants. The company detected the intrusion on July 3rd, immediately took systems offline as a containment measure, and initiated an investigation with third-party experts and notified law enforcement. The primary impact was a data breach involving sensitive personal identifiers and employment records.
## Incident Details
- Discovery Date: July 3, 2025
- Incident Date: July 2, 2025
- Affected Organization: Ingram Micro
- Sector: Technology Distribution
- Geography: Undisclosed (Filing located in Maine, USA)
## Timeline of Events
### Initial Access
- Date/Time: July 2, 2025
- Vector: Ransomware (Specific initial access vector not detailed in provided text)
- Details: Attack initiated by the ransomware group SafePay.
### Lateral Movement
- Details: Ransomware actors moved through the network, ultimately leading to data exfiltration. (Specific techniques not detailed)
### Data Exfiltration/Impact
- Date/Time: Prior to July 3, 2025
- Impact: Compromise and potential theft (SafePay allegedly stole 3.5 TB of files) of sensitive personal data and employment records.
### Detection & Response
- Date/Time: July 3, 2025
- Detection: In-progress detection by the organization.
- Response: Prompt containment actions, including proactively taking certain systems offline and implementing mitigation measures. An investigation with cybersecurity experts was initiated, and law enforcement was notified.
## Attack Methodology
*Note: Specific technical details regarding the attack steps were not disclosed in the summary text. The following fields are based on the nature of the confirmed event (Ransomware/Data Exfiltration).*
- Initial Access: Ransomware deployment (Specific vector unknown)
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Implied, required for data access/exfiltration
- Discovery: Implied, required to identify sensitive data
- Lateral Movement: Implied, required to reach data stores
- Collection: Gathering of 3.5 TB of files.
- Exfiltration: Data theft targeting employee and applicant information.
- Impact: Encryption (implied by ransomware) and data exposure.
## Impact Assessment
- Financial: Substantial, given prior reporting days of disruption and daily revenues of ~$190 million (though operational disruption was somewhat limited compared to contemporaries).
- Data Breach: 42,521 individuals affected. Data types include names, contact information, dates of birth, passport numbers, driver’s license numbers, Social Security numbers, and work-related evaluations.
- Operational: Partial disruption; some regional staff sent home, and MSP sources reported being unable to manage customer services temporarily. Orders partially resumed within days.
- Reputational: Negative feedback received regarding poor communication during the incident.
## Indicators of Compromise
- *No specific technical IoCs (IPs, hashes, domains) were provided in the summary.*
- **Behavioral Indicator:** Ransomware activity leading to system shutdown and data theft, attributed to SafePay.
## Response Actions
- Containment: Proactively taking certain systems offline immediately upon detection.
- Eradication: Implementation of general mitigation measures (details unspecified).
- Recovery: Partial resumption of orders within days of the intrusion.
- Other: Initiated investigation with leading cybersecurity experts and notified law enforcement.
## Lessons Learned
- The necessity of strong, multi-faceted communication protocols during a crisis, as customer criticism focused on the lack of timely updates.
- The high volume of operational and reputational risk tied to even brief disruptions for high-revenue distributors.
## Recommendations
- Enhance pre-incident tabletop exercises to specifically address communication workflows for external stakeholders (customers, MSPs) during major incidents.
- Review and strengthen controls around sensitive PII and employment data to limit impact should initial access occur.
- Maintain comprehensive, up-to-date backup strategies to minimize the need for downtime following future encryption events.