Ingram Micro is being threatened with a data leak from SafePay – the group that carried out a ransomware attack on the distributor earlier this summer.
SafePay indicated it has 3.5TB of stolen data from the channel player, listing it as one of its victims on its site. The listing of the Ingram data details is seen as a threat the firm will leak the information unless the distributor plays ball.
The latest development marks almost a month since the attack first came to light and Ingram disclosed it had to take systems offline over the weekend of the 5 July. Since then, the firm has been working hard to understand the attack and to restore systems, publicly assuring these steps had been done fairly soon after the initial problems emerged.
“Ingram Micro has been working diligently with leading third-party cyber security experts to investigate and remediate the cyber security incident announced on 5 July 2025, including proactively taking certain systems offline and implementing other mitigation measures,” the firm stated just a few days after the attack.
“Based on these measures and the assistance of third-party cyber security experts, we believe the unauthorised access to our systems in connection with the incident is contained and the affected systems remediated. Our team has been working around the clock on this matter to restore affected systems. We have implemented additional safeguards and monitoring measures to protect our network environment as we bring our systems back online.”
Despite those efforts to move on from the attack, the threat of a data leak is now something the channel firm will have to deal with.
Peter King, principal consultant at Acumen Cyber, said SafePay was following an established pattern to threaten victims. “This is a tactic threat actors use to place more pressure on victims, hoping to encourage them into paying,” he said.
“Given the notice is still up on SafePay’s leak site, this suggests Ingram Micro hasn’t opted to pay. Furthermore, in a few months, this option could be fully removed anyway, especially if the government announces that major MSPs and channel providers will be covered by the ransomware payment ban,” he added.
King said the 3.5TB, if accurate, raised eyebrows because it was a significant amount of data for the criminals to scrape off the distie’s systems. “The major concern about this attack is how SafePay managed to gain access to such a large volume of data in the first place. As one of the world’s largest channel companies, cyber defences are mandatory, especially given the supply chains Ingram Micro will fall into,” he said.
He added that there were lessons from the attack for all channel companies to take note of because anyone working in the tech supply chain was an attractive target. “In an era of increased digital interconnectedness, supply chain attacks are the new norm, and all organisations have a duty to protect their environments, otherwise, the impacts of attacks can spread far and wide, well outside of their own environments,” he said.
According to Acronis Threat Research, which has been tracking the rise of SafePay, the ransomware group is now one of the most active, striking more than 200 victims worldwide, including MSPs and SMEs in Q1.
