Sysco

Sysco, a leading global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data.

In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

"On March 5, 2023, Sysco became aware of a cybersecurity event perpetrated by a threat actor believed to have begun on January 14, 2023, in which the threat actor gained access to our systems without authorization and claimed to have acquired certain data," Sysco added in data breach notification letters sent to some of the affected individuals.

In total, the data breach affected 126,243 who had their names and other personal identifiers exposed together with Social Security Numbers, as revealed in a filing with the Maine Attorney General's Office

Sysco also confirmed the security breach in a 10-Q quarterly report filed with the U.S. Securities and Exchange Commission one week ago, on May 2nd.

"The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data," the company said.

"The investigation is ongoing, and Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data."

The company believes the employees' data stolen from its systems during the breach is a combination of the following: personal information provided to Sysco for payroll purposes, including name, social security number, account numbers, or similar info.

Sysco also hired a cybersecurity firm to help investigate the incident and notified federal law enforcement of the cyberattack.

Sysco: No impact on customer service and business operations

The incident has not impacted its business operations, and customer service has not been interrupted, according to the 10-Q SEC filing.

Sysco also told affected individuals that there is no ongoing threat to its network and that its security team implemented additional safeguards to prevent a similar breach from occurring in the future.

With more than 71,000 employees, Sysco operates 333 distribution facilities worldwide and services around 700,000 customer locations, including restaurants, healthcare, and educational facilities.

According to its website, Sysco generated over $68 billion in sales for the fiscal year 2022, which ended July 2, 2022.

A Sysco spokesperson was unavailable for comment when contacted by BleepingComputer earlier today.

Update: Added link to data breach notification letter sample.

Update 2: Added info on the number of individuals affected by the data breach.

Related Articles:

Prudential Financial breached in data theft cyberattack

Fujitsu found malware on IT systems, confirms data breach

Acer confirms Philippines employee data leaked on hacking forum

Okta: October data breach affects all customer support system users

Equilend warns employees their data was stolen by ransomware gang