The company disclosed the incident in a regulatory filing on March 10, when it admitted that the attack caused some disruption and involved unauthorized access to some of its IT systems. However, MarineMax said at the time that the breached environment did not store any sensitive data.

Roughly 10 days later, the Rhysida ransomware group took credit for the attack and launched an auction for data allegedly stolen from the company.

In a new SEC filing dated April 1, MarineMax said its investigation into the incident is ongoing, but it confirmed that the cybercriminals did exfiltrate ‘limited data’ from its systems, including customer and employee information. The compromised data includes personally identifiable information, the firm said.