Ingram Micro ransomware attack hit 42,521 people

The Ingram Micro ransomware attack impacted exactly 42,521 people, and the key detail is who those people are. This is being described primarily as an employee and job applicant data exposure, not a confirmed customer database leak. If you have ever worked at Ingram Micro or applied for a job there, this is the kind of incident that can turn into identity theft months later, even if everything “seems fine” today.

Here’s what’s confirmed, what’s only claimed, and what you should do now to reduce your risk.

What happened (timeline and confirmed scope)

Ingram Micro detected the cybersecurity incident on July 3, 2025. In its description of the response, the company said it moved quickly to contain and remediate the activity, including taking certain systems offline as a defensive step.

The big number, 42,521 affected individuals, comes from a breach notification filing that surfaced later. The Register reports that the 42,521 figure came from a filing with Maine’s attorney general office. TechRadar also reported the same count, citing the filing.

One important nuance: Ingram Micro has not publicly named the attacker in the notice details referenced by outlets. So when you see a specific ransomware group name attached to the incident, treat that as attribution from outside the company, not a confirmed statement from Ingram Micro.

What data may have been exposed (and why you should care)

This is not the usual “your email and password” story. Reporting indicates the affected data can include classic HR and applicant identifiers: names and dates of birth, and for some people, much higher risk data like Social Security numbers and government-issued ID details such as a passport or driver’s license, plus employment-related information.

Why it matters: HR and applicant data has a long tail. You can change a password in 30 seconds. You cannot “change” your date of birth, your prior employment history, or your government ID number the same way. That kind of dataset is exactly what criminals use for:

• New credit applications or account takeovers using identity verification questions
• Tax fraud (refund theft) and benefits fraud
• Convincing phishing that includes real personal details to get you to hand over more

Even if you are careful on Android and lock down your banking apps, identity theft often happens “around” your phone, with criminals using your info to pass verification checks and open accounts in your name.

SafePay’s claim vs. confirmed facts, plus what to do right now

Multiple outlets say the SafePay ransomware group claimed responsibility and listed Ingram Micro on its leak site, including an alleged theft of 3.5TB of data. That number is not independently verified in the public reporting, and it’s coming from the attackers’ own post, so treat it as a claim, not a proven measurement of what was exfiltrated.

What you should do does not depend on whether 3.5TB is real. It depends on whether your personal identifiers were in the affected pool, and whether you can reduce downstream damage.

Practical steps (do these in order):

• Watch for an official notification letter or email. Breach notices often arrive long after the incident date. If you moved, consider whether Ingram Micro would have an old address on file from hiring paperwork.
• Freeze your credit with the three major bureaus if you are in the US. A freeze blocks most new credit from being opened in your name, and it is stronger than “just monitoring.”
• Set up fraud alerts if you are not ready to freeze. It is a lighter step but still adds friction for new credit checks.
• Monitor your existing financial accounts (bank, credit cards, brokerage) for small “test” charges and new payees. Turn on push alerts in your banking apps so you see transactions instantly.
• File for an IRS IP PIN if you have a US SSN and you want extra protection against tax refund fraud. It is one of the most effective identity controls most people never set up.
• Harden your email account (Gmail, Outlook, etc.) with strong 2FA. Email takeover is a common bridge to financial takeover because it enables password resets elsewhere.
• Be picky about inbound “breach support” messages. After widely reported incidents, scammers often impersonate the company or offer fake credit monitoring. Do not click links from unexpected texts.

If you want to validate what’s public, the most actionable breadcrumbs are the breach notification channels and state breach listings referenced in coverage, including the Maine AG filing mentioned above. That’s often where the affected count and data categories show up first, even when the company’s main site post is short on specifics.

The takeaway

This incident is a good reminder that ransomware is not only about downtime. Even if operations get contained and restored, the lasting damage can shift to workforce identity data, and that blast radius can follow people for years.

If you are in the affected group, act like your identifiers could be used later. Credit freezes, strong account security, and tax identity protections are boring, but they work.