Monro, Inc.

The Maine Office of the Attorney General disclosed a data breach affecting Monro, Inc. on March 25, 2025, which was initially detected on November 29, 2024. The incident involved unauthorized access to an employee’s email account, exposing sensitive personal information of 112,458 individuals, including names and Social Security numbers (SSNs). The breach stemmed from a compromised employee mailbox, likely due to phishing or credential theft, enabling attackers to exfiltrate personally identifiable information (PII). While the full scope of misuse remains unclear, the exposure of SSNs heightens risks of identity theft, financial fraud, and long-term reputational damage for the company. Monro, Inc., a provider of automotive undercar services, now faces regulatory scrutiny, potential lawsuits, and the operational burden of notifying affected individuals, offering credit monitoring, and reinforcing cybersecurity protocols to prevent future incidents.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/ec3e23fb-4981-43ed-be7d-7aedcac21775.html

TPRM report: https://www.rankiteo.com/company/monroinc

"id": "mon528082125",
"linkid": "monroinc",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 112458,
                        'industry': 'Automotive Services (Tires, Maintenance, '
                                    'Repairs)',
                        'location': 'United States (Headquartered in New York)',
                        'name': 'Monro, Inc.',
                        'type': 'Corporation'}],
 'attack_vector': 'Unauthorized Access (Email Compromise)',
 'data_breach': {'file_types_exposed': ['Email Content'],
                 'number_of_records_exposed': 112458,
                 'personally_identifiable_information': ['Names',
                                                         'Social Security '
                                                         'Numbers'],
                 'sensitivity_of_data': 'High (includes SSNs)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_detected': '2024-11-29',
 'date_publicly_disclosed': '2025-03-25',
 'description': 'The Maine Office of the Attorney General reported a data '
                'breach involving Monro, Inc. The breach involved unauthorized '
                'access to an employee’s electronic mailbox, potentially '
                'affecting personal information for 112,458 individuals, '
                'including names and social security numbers.',
 'impact': {'data_compromised': ['Names', 'Social Security Numbers'],
            'identity_theft_risk': 'High (SSNs exposed)',
            'systems_affected': ['Employee Email Mailbox']},
 'initial_access_broker': {'entry_point': 'Employee Email Mailbox'},
 'references': [{'date_accessed': '2025-03-25',
                 'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': ['Maine Office of the '
                                                        'Attorney General']},
 'response': {'communication_strategy': 'Public disclosure via Maine Attorney '
                                        'General'},
 'title': 'Monro, Inc. Data Breach via Unauthorized Email Access',
 'type': 'Data Breach'}