Ingram Micro has said in breach-notification materials filed with the Maine Attorney General that the July 2025 ransomware incident affected 42,521 people.
The reporting said the exposed information can include names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/other government-issued IDs, and employment-related information, depending on the individual.
What Ingram Micro said in July 2025
In its July 5, 2025 statement filed on its investor-relations site and posted to the SEC’s EDGAR archive, Ingram Micro said it had “identified ransomware on certain of its internal systems,” took steps to secure the environment (including proactively taking certain systems offline), engaged external cybersecurity experts, and notified law enforcement.
The company also published an incident webpage reiterating that sequence and referencing ongoing restoration efforts following the disclosure.
The Maine filing said Ingram Micro determined attackers accessed certain internal file repositories on July 2–3, 2025, and that some of the accessed files contained personal data (with the specific data elements varying by person).
Those notices tie the data exposure to the operational disruption Ingram Micro acknowledged at the time, taking systems offline as part of containment, without naming the intruder in Ingram Micro’s own public statements.
Suspected actor reports
On attribution of the suspected actor: Ingram Micro has not publicly identified a threat group in its July 2025 statements. Separately, multiple outlets reported that the ransomware group SafePay listed Ingram Micro on its leak site and claimed to have stolen data, claims reported as assertions by the group rather than confirmed by the company.
As of the disclosure reporting, Ingram Micro had not publicly confirmed whether any data was published, nor did it disclose ransom demands or payment details in its public statements.
Market and legal context
The notification filings surfaced in mid-January 2026, roughly six months after Ingram Micro said it had restored business operations globally by July 9 and was operational across all countries and regions where it transacts business.
The consumer notices described the types of personal data involved and offered 24 months of Experian identity protection, according to reporting based on the filed letters. Separately, Srourian Law Firm said it is investigating potential claims tied to the incident; such announcements reflect attorney outreach and do not, by themselves, indicate that litigation has been filed.