The infamous INC Ransomware group has asserted responsibility for a significant data breach involving Dollar Tree, a prominent American retail chain recognized for offering products primarily at $1.25 or lower. Despite its budget-friendly pricing strategy, Dollar Tree ranks among Fortune 500 companies, reporting revenues of $17.58 billion for the fiscal year 2025.
Today, Dollar Tree’s name surfaced on the INC Ransomware’s dark web leak site, where the group claims to have compromised the company’s security and extracted 1.2 terabytes of sensitive personal information.
In a statement released by the group, they declared, “They have become a victim of a data breach. The 1.2TB of sensitive and personal data will soon be published on our blog.”
Samples of the leaked files available on the site indicate a concerning breadth of sensitive information, including copies of passports, completed payroll documents, job letters, agreements, and legal correspondence that discusses cases of sexual harassment and discrimination within the company.
The situation is further complicated by claims from the ransomware group concerning 99 Cents Only Stores, which involve files related to former employees of that organization. Dollar Tree’s acquisition of 99 Cents Only Stores was limited to specific real estate lease rights following the latter’s closure, explicitly excluding any purchase of their corporate data, systems, or networks. The company has firmly stated that any implication of involvement is erroneous.
INC Ransomware: A Notorious Cybercrime Group
Operating since at least July 2023, INC Ransomware, also referred to as GOLD IONIC, has gained notoriety for its sophisticated cyber tactics and deployment of various malware families in its attacks. The group focuses on a diverse range of sectors, particularly within the United States and Europe, and has been linked to several major breaches, including the successful ransomware attack on Ahold Delhaize, which resulted in the theft of 6 terabytes of data.
In December 2024, the group notably affected the UK’s National Health Service (NHS), compromising patient data and disrupting services across multiple healthcare institutions. The group followed this up in March 2024 by targeting NHS Scotland, stealing 3TB of data and threatening public exposure unless their ransom demands, reportedly exceeding $5 million, were satisfied.
Known for their double-extortion strategies, INC Ransomware not only encrypts data but also exfiltrates it, thereby threatening to publish the information online if ransoms go unpaid. Recently, the group has rebranded itself as Lynx, continuing its operations using the same methodical tactics against critical sectors in the US and UK.
Another Day, Another Ransomware
The escalation of ransomware incidents is evident, with recent examples including a data breach at NASCAR attributed to the Medusa ransomware group, which is demanding a $4 million ransom. Also, on July 28, 2025, the GLOBAL GROUP ransomware gang claimed responsibility for breaching Miami’s media giant Albavisión, allegedly stealing 400GB of data.
The breach involving Dollar Tree exemplifies the escalating dangers within the cybersecurity landscape, highlighting the urgency for businesses, both large and small, to enhance their security measures against ever-evolving cyber threats.
Update – Company Response
Following the release of this report, a Dollar Tree spokesperson responded to the claims made by INC Ransomware. The company refuted any allegations linking it to the data leak, instead asserting that the data in question likely belongs to 99 Cents Only Stores.
“We are aware of claims made by a ransomware group regarding 99 Cents Only Stores. The files referenced in these claims appear to involve former 99 Cents Only employees. Dollar Tree’s involvement with 99 Cents Only Stores is related to the purchase of select real estate lease rights following their closure. We did not acquire their corporate entity, systems/network, or data. Any allegation of Dollar Tree’s involvement is inaccurate.”
Dollar Tree Spokesperson
As more details emerge, Hackread.com is closely monitoring the situation and will provide updates as necessary, particularly if further data is released that could either validate or challenge the claims made by the ransomware group.
