Dollar Tree denies ransomware claims, says stolen data is from defunct discount chain

Discount retail giant Dollar Tree denied that its systems were impacted by ransomware after a cybercriminal operation claimed on Wednesday to have attacked the company. 

A company spokesperson told Recorded Future News that it is aware of the claims but said they believe the group actually targeted 99 Cents Only Stores — another discount shopping chain that declared bankruptcy last year and has since shut down. 

“The files referenced in these claims appear to involve former 99 Cents Only employees. Dollar Tree’s involvement with 99 Cents Only Stores is related to the purchase of select real estate lease rights following their closure,” the spokesperson said. 

“We did not acquire their corporate entity, systems/network, or data. Any allegation of Dollar Tree’s involvement is inaccurate.”

Emails sent to accounts connected to 99 Cents Only Stores bounced back and the company no longer has a website. 

99 Cents Only was founded in 1982 and at its peak had nearly 400 stores across California, Texas, Arizona and Nevada. The company filed for bankruptcy last April and closed all of its stores in June 2024 due to financial hardship. 

Dollar Tree acquired the rights to 170 leases from 99 Cents Only just before it closed and the deal was approved by a bankruptcy court in Delaware. Dollar Tree’s press release says it also “acquired the North American Intellectual Property of 99 Cents Only Stores and select on-site furniture, fixtures, and equipment.”

On Wednesday, the INC ransomware gang claimed on its leak site that it attacked Dollar Tree and exfiltrated 1.2 terabytes of sensitive and personal data.

The leak site post contains samples of the stolen data, including scans of passports, and quotes the Dollar Tree press release announcing its acquisition of 99 Cents Only leases. 

Dollar Tree is one of the most successful retailers in the U.S., reporting $17.6 billion in sales over the last fiscal year through its 9,000 stores in the U.S. and Canada. 

According to researchers at SentinelOne, the INC ransomware group emerged in July 2023, claiming high-profile attacks on companies like Japanese manufacturer Yamaha Motor and a prominent Michigan hospital network.

Last fall, the ransomware gang targeted the Dutch conglomerate behind several major U.S. supermarket brands — leaving dozens of stores struggling for days to operate without digital systems.