Sysco, a prominent worldwide food distribution corporation, has officially verified that it experienced a security breach earlier this year, resulting in the theft of sensitive data such as business records, customer information, and employee data.
According to an internal memo dated May 3rd, which was obtained by BleepingComputer, the company disclosed that the breach may have affected customer and supplier data in the United States and Canada, along with personal information belonging to employees based in the United States.
In its initial disclosure, made through a Form 10-Q filing with the US Securities and Exchange Commission (SEC) in early May, the company unveiled that it had detected the data breach on March 5, 2023.
However, the company also stated that unauthorized access by the attackers to its systems most likely began on January 14, 2023.
During that time frame, the company said, “the attackers stole company data related to operation of the business, customers, employees, and personal data.“
Now, the food distributor is informing current and former employees that personal information such as “names, Social Security numbers, account numbers, and other information provided for payroll purposes” might have been compromised in the data breach.
The letter to impacted employees says, “the threat actor gained access to our systems without authorization and claimed to have acquired certain data.”
This suggests that it may have been a ransomware attack.
In total, the data breach impacted 126,243 individuals, whose names and other personal identifiers, including Social Security Numbers, were exposed.
This information was disclosed in a filing submitted to the Maine Attorney General’s Office.
The company has determined that the data stolen from its systems during the breach is a combination of personal information that employees had provided to Sysco for payroll purposes.
This includes details such as names, social security numbers, account numbers, or similar information.
To aid in the investigation of the incident, Sysco has enlisted the services of a cybersecurity firm.
Additionally, they have promptly notified federal law enforcement about the cyberattack.