Food distributor Sysco says cyberattack potentially leaked 125,000 Social Security numbers

A cyberattack on Sysco, one of the world’s largest food distributors, gave hackers access to the sensitive personal information of more than 125,000 current and former employees.

In documents filed with state regulators in Maine, the company said an incident in January leaked troves of sensitive employee information. Sysco has more than 71,000 current employees, operates in over 90 countries and reported sales of more than $68 billion in 2022.

Hackers spent nearly three months in the company’s systems before IT teams discovered the incident. According to breach notification letters sent to 126,243 people across the U.S., the hackers first broke into Sysco’s systems on January 14 but were only discovered on March 5.

The Houston-based company did not say whether it was a ransomware attack or what group was involved, but noted in the letters that the threat actor “claimed to have acquired certain data.”

“While we cannot confirm at this time specifically what information may have been impacted for each individual colleague, we believe it could include some combination of the following data: personal information provided to Sysco for payroll purposes, including name, social security number, account numbers or similar information,” the company said.

Sysco said it opened an investigation “in partnership with a leading cybersecurity firm and other experts” and notified federal law enforcement.

Operational systems and business functions “suffered no impact as a result of the event” and customer services were never interrupted, the company said.

Victims can receive 24 months of identity protection services with Experian.

The company reported the incident to the U.S. Securities and Exchange Commission on May 2, noting that in addition to the information on employees, the hackers “extracted certain company data, including data relating to operation of the business, customers,” and more.

“The investigation is ongoing, and Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data,” the food giant said.

The incident was first reported by BleepingComputer on May 9 after the company sent out a memo to employees about the attack.