Food distribution company Sysco has confirmed that customer, business and employee data was stolen in a cyber attack it suffered earlier this year.
The cyber attack is thought to have taken place on January 14, 2023 and was detected by Sysco on March 5.
According to BleepingComputer, Sysco said in an internal memo sent on May 3 that data from companies and suppliers located in the US and Canada as well as data from US employees may have been accessed during the cyber attack. The employee data accessed is believed to include name, social security number, account numbers and other personal information provided to Sysco for payroll purposes.
In data breach notices sent to those affected by the breach, Sysco said that the threat actor responsible for the cyber attack gained unauthorized access to its systems and “claimed to have acquired certain data”.
Sysco also disclosed the breach in a quarterly report filed with the US Securities and Exchange Commission on May 2, in which the company said the malicious actor “extracted certain company data, including data relating to operation of the business, customers, employees and personal data”.
An investigation into the breach is ongoing, with Sysco saying it has “begun the process of preparing to comply with its obligations with respect to the extracted data”. The food distribution company has also employed a cyber security firm to investigate the breach.
According to Sysco, its operations were not affected by the cyber attack and its networks are now secure as safeguarding measures to prevent further breaches.