Cyber Incident Victim: Sysco Corporation

Sysco, a global food distribution company, experienced a cybersecurity incident involving unauthorized system access beginning on January 14, 2023. The company detected the breach on March 5, 2023, when it initiated an investigation that confirmed threat actors had extracted sensitive data including business operations information, customer details, and employee records. According to internal communications dated May 3, 2023, and SEC filings submitted on May 2, 2023, the compromise affected U.S. and Canadian customer and supplier data alongside personal information of U.S.-based employees. Forensic analysis determined the attackers acquired payroll-related employee data such as names, Social Security Numbers, and financial account identifiers. Sysco disclosed in a Maine Attorney General filing that 126,243 individuals had their personally identifiable information exposed. The company stated the incident did not disrupt business operations or customer service activities during or after the breach.

Sysco engaged a cybersecurity firm to assist with the investigation and notified federal law enforcement agencies about the intrusion. In its SEC 10-Q filing and employee notifications, the company confirmed implementing additional security safeguards following containment of the breach and asserted no ongoing threat remained within its networks. Data breach notification letters were distributed to affected parties, though Sysco did not publicly specify whether ransomware or extortion tactics were employed by the attackers. With 71,000 employees and $68 billion in fiscal year 2022 revenue, the company emphasized its global distribution network of 333 facilities remained operational throughout the incident. The investigation remained ongoing as of the May 2023 disclosures, with Sysco preparing to fulfill regulatory obligations related to the stolen data.