Large white Sysco food delivery truck showing food distributor data breach

Food Distributor Sysco Suffers Data Breach Leaking Customer and Employee Personal Information

Leading American food distributor Sysco is investigating a data breach that potentially leaked business, employee, and customer data.

On March 14, 2023, Sysco discovered that a threat actor gained access around January 14, 2023, and allegedly accessed corporate and personal information.

Although an investigation was still in progress, Sysco has begun notifying impacted individuals and has reported the incident to relevant law enforcement agencies.

With more than 333 distribution facilities globally and 700,000 collection centers, Sysco employs 71,000 employees. Ranked 70th (2023) on the Fortune 500 list of companies, Sysco recorded $68.6 billion in revenue in 2022.

Food distributor Sysco discloses a data breach in 10K SEC filing

Acknowledging the attack, the food distribution company said it responded by launching an investigation with external cybersecurity and forensics professionals and notifying federal law enforcement.

“The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data,” the food distributor said in an SEC 10-Q filing.

Sysco anticipates the threat actor exfiltrated personal information, including names, social security numbers, and unspecified account information. The data breach impacted US and Canadian customers and Sysco employees in the United States. Both current and former employees were impacted.

“While we have not yet fully validated these claims, we have determined that personal information for some of our current and former colleagues has been impacted,” Sysco said in the data breach notification letter.

The food distributor also disclosed that the data breach did not affect its internal business or customer operations. Additionally, the threat actor was successfully isolated from the network, and the food distributor implemented extra security measures to prevent a similar attack in the future.

Sysco has begun notifying the impacted individuals and offered 24 months of free credit monitoring services with Experian to protect them from identity theft.

Meanwhile, the data breach victims could place a “credit freeze” on their files to prevent creditors from accessing their credit information, thus preventing fraudsters from successfully opening accounts using the stolen data.

They should also take additional steps to protect themselves from online fraud by monitoring their accounts and reporting suspicious transactions to credit monitors, financial institutions, and law enforcement authorities.

“The investigation is ongoing, and Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data,” the food distributor said.

Sysco has not disclosed the attack vector, the number of individuals affected, or if the data breach originated from an attempted ransomware attack.

“As more data unfolds as to the cause and impact of the Sysco security breach, certain steps are required to validate a complete understanding of the attacker’s path, objectives, any possible backdoor, and even attribution are critical to nail down quickly,” said Roy Akerman, Co-Founder & CEO at Rezonate.

Food distributors targeted by cyber attacks

Food distribution companies are attractive targets for hackers because of tech dependency and, thus, the vast amounts of data they hold and the impact that an attack could have on their operations and the supply chain.

In February 2023, North American food giant Dole Food Company suffered a ransomware attack that disrupted regional operations. And a ransomware attack in June 2021 on the world’s largest meat processor, JBS, highlighted the threat cyber-attacks pose to food processing, storage, and distribution companies.