Dollar Tree, a leading discount retail chain with thousands of locations across North America, has reportedly fallen victim to a significant ransomware attack orchestrated by the cybercrime group known as INC Ransomware. The group claims to have exfiltrated approximately 1.2 terabytes of highly sensitive company and employee data, and is now threatening to publish the information if its ransom demands are not met.
Details of the Incident
On July 30, 2025, INC Ransomware added Dollar Tree to its leak site, alleging a substantial data breach. According to posts by the group, the cache purportedly includes an array of confidential documents—ranging from passport scans and payroll forms to internal company complaints and legal agreements. Among the samples released as proof are documents said to involve investigations into workplace issues such as sexual harassment and discrimination.
Preliminary analysis suggests that some of the compromised data may be connected to IT systems acquired in Dollar Tree’s 2024 purchase of 99 Cents Only Stores. This raises the possibility that legacy infrastructure or integration processes stemming from the acquisition may have been exploited during the attack.
About INC Ransomware
Also known as GOLD IONIC or, following a recent rebrand, Lynx, INC Ransomware has established itself as a major player in the criminal ransomware ecosystem. The group is notorious for its “double extortion” tactics, whereby data is not only encrypted but also exfiltrated, with threats to publicly release stolen information if the ransom is not paid.
INC Ransomware has a history of targeting a broad range of industries, including healthcare, government, and retail. Previous victims include UK’s NHS hospitals and several other prominent organizations, with ransoms in past incidents reportedly exceeding $5 million.
Scope and Impact
While previous security incidents—such as a third-party breach in 2023 that exposed up to 2 million employee records—have affected the company, the current ransomware event appears to be unprecedented in magnitude and significance. At this stage, INC Ransomware has only released limited data samples, a tactic commonly employed to pressure victims into negotiation. Observers note that full exposure of the remaining data could have far-reaching consequences for both the company and its stakeholders.
Ongoing Investigation
Dollar Tree and law enforcement agencies are conducting investigations as details of the incident continue to emerge. The company has not released a public statement confirming the scale or specifics of the breach. Cybersecurity experts warn that organizations involved in mergers and acquisitions should be particularly vigilant regarding legacy system vulnerabilities—a potential factor in this case.
