The INC Ransomware group claimed responsibility for a data breach at **Dollar Tree**, alleging the theft of **1.2TB of sensitive and personal data**, including **passport copies, payroll forms, job letters, legal correspondence, and complaints involving sexual harassment and discrimination cases**. The leaked data primarily pertains to **former employees of 99 Cents Only Stores**, a separate entity from which Dollar Tree acquired only real estate lease rights—not its systems or data. Despite Dollar Tree’s denial of direct involvement, the ransomware group insists the breach is tied to the company. INC Ransomware, known for **double-extortion tactics**, has previously targeted high-profile victims like **Ahold Delhaize (6TB stolen) and the UK’s NHS**, demanding ransoms exceeding **$5 million**. The group operates with **sophisticated malware**, often rebranding (e.g., as *Lynx*) while maintaining aggressive extortion strategies. The breach underscores escalating cyber threats against major corporations, with **employee data exposure** posing reputational, legal, and operational risks. Dollar Tree’s response emphasizes the data’s origin from 99 Cents Only Stores, but the incident highlights vulnerabilities in third-party associations.
Source: https://hackread.com/inc-ransomware-1-2tb-data-breach-at-dollar-tree/
TPRM report: https://www.rankiteo.com/company/dollar-tree-stores
"id": "dol3762937090425",
"linkid": "dollar-tree-stores",
"type": "Ransomware",
"date": "7/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Retail',
'location': 'United States',
'name': 'Dollar Tree',
'size': 'Fortune 500 (Revenue: $17.58B in FY2025)',
'type': 'Retail Chain'},
{'customers_affected': 'Former employees (data '
'allegedly sourced from this '
'entity)',
'industry': 'Retail',
'location': 'United States',
'name': '99 Cents Only Stores',
'type': 'Retail Chain (Defunct)'}],
'data_breach': {'data_exfiltration': '1.2TB of data allegedly stolen',
'file_types_exposed': ['PDFs', 'Documents', 'Scanned Images'],
'personally_identifiable_information': ['Passport copies',
'Payroll details',
'Employee names',
'Legal case details'],
'sensitivity_of_data': 'High (includes passports, legal '
'correspondence, harassment '
'complaints)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Legal Documents',
'Employment Records',
'Sensitive Complaints']},
'date_publicly_disclosed': '2025-07-29',
'description': 'The INC Ransomware group claimed responsibility for a data '
'breach at Dollar Tree, alleging the theft of 1.2TB of '
'sensitive and personal data, including passport copies, '
'payroll forms, job letters, agreements, legal correspondence, '
'and complaints detailing sexual harassment and discrimination '
'cases. Dollar Tree denied involvement, stating the data '
'likely originated from 99 Cents Only Stores, from which it '
'acquired only select real estate lease rights. The ransomware '
'group, known for double-extortion tactics, has a history of '
'high-profile attacks, including those on Ahold Delhaize and '
'the UK’s NHS.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'association with data breach claims',
'data_compromised': ['Passport copies',
'Payroll forms',
'Job letters',
'Agreements',
'Legal correspondence',
'Complaints (sexual harassment, '
'discrimination)'],
'identity_theft_risk': 'High (due to exposure of PII and sensitive '
'documents)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened public release '
'of 1.2TB data on INC '
'Ransomware’s dark web '
'blog'},
'investigation_status': 'Ongoing; Dollar Tree denies involvement, attributes '
'data to 99 Cents Only Stores',
'motivation': ['Financial Gain', 'Data Theft', 'Extortion'],
'ransomware': {'data_exfiltration': '1.2TB of data threatened for public '
'release',
'ransomware_strain': 'INC Ransomware (aka GOLD IONIC / Lynx)'},
'references': [{'date_accessed': '2025-07-29',
'source': 'Hackread.com',
'url': 'https://www.hackread.com/inc-ransomware-dollar-tree-data-breach/'}],
'response': {'communication_strategy': 'Public denial of involvement; '
'clarification that data likely '
'originated from 99 Cents Only Stores'},
'stakeholder_advisories': 'Public statement denying involvement and '
'clarifying data origin',
'threat_actor': 'INC Ransomware (GOLD IONIC / Lynx)',
'title': 'Dollar Tree Data Breach Claimed by INC Ransomware Group',
'type': ['Data Breach', 'Ransomware Attack']}