Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries.
About the breach
The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials.
Experts said that Everest actors didn’t install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials.
The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target’s systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks.
History
In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don’t pay ransom.
The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement “Don’t do crime CRIME IS BAD xoxo from Prague” was posted in its place.
If the reports of sensitive data theft turn out to be accurate, Iron Mountain’s clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain’s present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents.
What is the impact?
Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems.
Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain’s response to these unsubstantiated allegations must be transparent throughout the investigation.
Read the original article: