Ransomware strike at Ingram Micro exposes sensitive records of ~42,500 people

🇺🇸United States

Information Technology DistributionCybersecurity

Mon, Jan 19, 2026

In early July 2025 Ingram Micro — a major IT distributor — detected malicious activity tied to a ransomware intrusion that investigators trace to July 2–3. The company isolated affected systems and restored most services by about July 9, but forensic work showed that files containing employment- and applicant-related personal identifiers were copied before containment. Ingram Micro says roughly 42,521 individuals’ records were involved; a criminal leak site later advertised and made available about 3.5 terabytes of material the actor claimed to have taken. Reported contents include government-issued ID numbers and hiring-related documentation that materially increases the risk of identity theft and targeted social‑engineering campaigns. The firm has offered 24 months of credit-monitoring and identity-protection services and has submitted at least one formal notification to a U.S. state regulator. Public posting of the archive magnifies downstream risk because copied records can be reused repeatedly in fraud and credential-stuffing long after operational recovery. From an operational and technical standpoint, the episode underscores two opposing observations: fast recovery and restoration suggest effective backup and recovery processes, while the fact of substantial exfiltration indicates early detection, segmentation or data-loss‑prevention controls were insufficient to stop data copying. The incident also mirrors a wider trend in which attackers exploit brief windows of exposure and move quickly from vulnerability discovery to active targeting, increasing the premium on rapid patching, prescriptive operational controls and strong third-party risk management. For customers and channel partners, the breach raises immediate questions about procurement, fulfilment and continuity when a central distributor is disrupted. In the weeks ahead Ingram Micro will need to validate forensic findings about exactly which records left the environment, expand monitoring for misuse, communicate clearly to affected individuals and stakeholders, and prepare for regulatory inquiries and potential litigation. The event is a reminder that distribution-layer providers concentrate systemic risk: compromises at those nodes can cascade across many downstream organizations and therefore prompt demands for demonstrable safeguards and architectural changes such as stronger segmentation and movement toward zero‑trust models.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

ManoMano: Support-Portal Breach Exposes Millions of Customer Records

ManoMano confirmed a support‑channel compromise tied to a third‑party supplier that a threat actor claims exposed ~37.8 million accounts and ~43 GB of support data. Corroborating incidents show attackers increasingly combine support‑system intrusions with credential caches and real‑time session orchestration—raising immediate risks from phishing, MFA bypass, and long‑tail credential‑stuffing and intensifying EU cross‑border regulatory exposure.

Cybersecurity

QualDerm Partners: 3.1M Patient Records Exposed in December Network Intrusion

Healthcare manager QualDerm Partners disclosed a December network intrusion that exposed 3,117,874 patient records after attackers retained access for about two days; the company has added the event to the HHS portal, notified impacted individuals and is offering 12 months of identity monitoring. The incident fits a broader pattern of threat actors targeting aggregator platforms where even short dwell times or archived‑data access produce large, reusable exfiltrations — a trend that is already reshaping insurer underwriting, regulatory attention, and vendor consolidation in health IT.

Cybersecurity

ApolloMD Data Breach Exposes PHI for Over 626,000 Individuals

A late‑May 2025 intrusion into ApolloMD’s systems led to the unauthorized access and copying of personally identifiable and clinical information for about 626,540 people, with some files containing Social Security numbers; the incident was later posted to a ransomware-linked leak site. ApolloMD reported the event to federal health authorities, began mailing breach notifications by September 2025 and is offering affected parties complimentary credit monitoring, highlighting broader third‑party risk in health data aggregation.

Cybersecurity

Advantest Hit by Ransomware; probe ongoing

Japan’s chip-test equipment maker reported an IT intrusion on Feb. 15 and says investigators found signs of ransomware on parts of its network. The company has not confirmed data theft and is evaluating impacts for customers and employees while response teams continue containment work.

Cybersecurity

Machine identities missing from ransomware playbooks

Enterprise ransomware playbooks commonly treat credential resets as a human-only control, leaving service accounts, API keys, tokens and certificates intact — a blind spot that accelerates lateral movement and drives recovery costs. Market shifts toward targeted, disruption-focused extortion and faster weaponization via agentic AI make that omission more dangerous: defenders must pair machine-identity governance with identity-first detection and quicker containment to blunt modern ransomware economics.

Cybersecurity

LexisNexis breach exposes legacy datasets, raises cloud-hygiene alarm

LexisNexis confirmed an intrusion that exposed legacy files and identifiers, with the attacker alleging exploitation of React2Shell and weak cloud controls. Immediate risks include exposed credentials, roughly 400,000 personal records, and elevated regulatory and insurance scrutiny — a pattern echoed by recent large-scale exfiltrations where fast operational recovery did not eliminate downstream fraud and identity risk.

Cybersecurity

Massive 149M credential trove exposes risks from infostealer malware to crypto and government accounts

A researcher found a publicly accessible collection of roughly 149 million stolen logins harvested by credential-stealing malware, including hundreds of thousands tied to major crypto platforms and numerous government-related accounts. The exposure stems from infected end-user devices rather than platform breaches, but it raises urgent questions about account hygiene, phishing risk, and detection across the crypto and social-media ecosystems.

Cybersecurity

Bitrefill Breach Tied to Lazarus Drains Wallets, Exposes 18,500 Orders

Crypto retailer Bitrefill disclosed a March intrusion that read ~ 18,500 purchase records and drained parts of hot wallets, with investigators linking traces and reused toolsets to the DPRK-linked Lazarus collective. Analysts note the tactics mirror recent supply‑chain and control‑plane operations—credential theft, ephemeral loaders and CDN/DNS abuse—meaning attribution may be strong on technique but not uniquely definitive.