1.2TB of Stolen Data? Dollar Tree Denies Massive Hack by INC Ransom

Today, INC Ransom has claimed Dollar Tree as its latest victim. Dollar Tree operates 16,774 stores across the United States, along with five Canadian provinces. According to the attacker’s Tor site, the group exfiltrated 1.2 TB of data, which contains personal information.

As a note, INC Ransom’s leak site may contain a typographical error, 1,2 TB, which is a sizable disparity. However, at this time, the exact size of the data trove cannot be confirmed. However, INC Ransom asserts that the data will be published soon on their blog.

INC Ransom published 24 images on their leak site, confirming the exposure of personally identifiable information (PII). This included photocopies of passport cards and a passport, a screenshot listing individuals named in sexual harassment and discrimination complaints with brief descriptions of the allegations, an unrelated confidentiality agreement, payroll forms, and various other highly sensitive documents.

While INC Ransom has not published a specific ransom deadline, it is reasonable to assume one exists, given their consistent use of a ransom-based extortion model.

Dollar Tree Refutes Breach, Leaving Questions

According to a Dollar Tree spokesperson, the claims made by INC Ransom are inaccurate, pointing out that the examples leaked on their Tor site refer to former employees from 99 Cents Only Stores.

Dollar Tree emphasized that its engagement with 99 Cents Only was strictly limited to select real estate lease rights following the chain’s closure. Furthermore, Dollar Tree clarified that it did not acquire 99 Cents Only’s corporate entity or any of its infrastructure in any way.

This means that the stolen data likely came from former 99 Cents Only employees, although this raises a question of discrepancy. If Dollar Tree never acquired 99 Cents Only's IT infrastructure or data systems, how exactly did data allegedly belonging to 99 Cents Only employees get leaked and attributed to Dollar Tree by INC Ransom?

It is possible that INC Ransom misattributed the data. Given the early stage of the investigation, it remains unclear until further information comes to light.

How INC Ransom Operates

INC Ransom is known to launch multi-vector attacks, whereas most double-extortion groups often favor lesser sophistication, purchasing InfoStealer logs from darkweb markets. For example, INC Ransom deploys spear phishing campaigns, including web server exploitation methods.

Once they gain access to devices, they use tools such as PsExec, AnyDesk, NetScan, Mimikatz, and other tools for lateral movement across compromised networks for privilege escalation.

Once sensitive information is obtained and exfiltrated, they destroy any backups to ensure the files cannot be recovered, encrypt critical systems so normal operations are disrupted, and force victims into a corner, compelling them to negotiate or pay up.