Iron Mountain
Analysis of the Iron Mountain extortion attempt claiming 1.4TB of data from the records management company.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Iron Mountain
Global records management and data protection services company providing storage, shredding, and information management for enterprise clients.
Sector
Information Management
Region
United States
Date of Incident
Prior to February 2026 (exact date not disclosed)
Date Disclosed
February 2026
Estimated Impact
Unknown (1.4TB claimed)
Data Types Exposed
Vendor marketing materials (according to initial assessment; full scope under investigation)
Attack Type
Extortion
Attack Vector
Claimed data theft and extortion (specific initial access vector not disclosed)
Current Status
Under investigation. Iron Mountain has described the claimed data as limited to vendor marketing materials.
Severity Assessment
Moderate for direct data impact, but High for reputational significance. When a company whose core business is protecting other organisations' data is itself compromised, it creates systemic trust concerns across the records management industry.
What Happened
In February 2026, Iron Mountain, a records management and data protection services company, disclosed an extortion attempt in which a threat actor claimed to have stolen 1.4TB of data.
According to Iron Mountain, the data reportedly consists of vendor marketing materials. A breach of a company that stores and protects other organisations' data undermines trust in the records management industry.
Timeline
February 2026
Extortion attempt disclosed; threat actor claims to have stolen 1.4TB of data from Iron Mountain
Impact and Risk Assessment
For Affected Individuals
Direct individual impact appears limited based on current assessment that the data consists of vendor marketing materials.
For Organisations
Iron Mountain's enterprise clients may question the security of their own records stored with the company, regardless of whether client data was actually accessed.
The reputational impact for a records management company is disproportionately high, as data protection is their core value proposition.
Regulatory Context
If client records were accessed, multiple regulatory frameworks could apply depending on the nature of the stored data across Iron Mountain's global client base.
What Should You Do?
If You Are a Potentially Affected Individual
No immediate action is required based on current information that the compromised data is limited to vendor marketing materials.
If You Are a Security or Risk Professional
If your organisation uses Iron Mountain for records management, contact them to understand whether your data was within scope of the incident.
Use this incident to evaluate the security controls of your records management and document storage providers.
Learnings and Recommendations
When organisations whose core business is data protection are themselves compromised, it creates systemic trust issues across the records management industry.
Even if the claimed data is limited to vendor marketing materials, the reputational impact for a data protection company is significant.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.