TL;DR: On February 2, 2026, the Russia-linked Everest ransomware gang posted Iron Mountain to its dark web leak site, claiming 1.4 terabytes of stolen internal documents and client data. Iron Mountain (which stores sensitive records for 95% of Fortune 1000 companies) says the attackers only accessed a single folder of marketing materials on a third-party file-sharing platform via one compromised credential. No ransomware was deployed. No core systems were breached. The extortion deadline is February 11. If Everest publishes the data and it's more than marketing flyers, this becomes one of 2026's biggest stories overnight.

Why Iron Mountain Matters

If you've never heard of Iron Mountain, that's by design. The company doesn't sell to consumers. It sells trust to other companies, and it's spectacularly good at it.

Iron Mountain manages records, data centers, and digital storage for over 240,000 customers worldwide. Its client list includes 95% of the Fortune 1000. Hospitals store patient records there. Law firms store case files. Movie studios store master recordings. Government agencies store classified archives. Banks store transaction histories going back decades.

The company's whole pitch is simple: give us your most sensitive stuff, and we'll keep it safer than you can. Their Pennsylvania limestone mine facility (a former Cold War bunker) stores original master recordings from artists like Frank Sinatra and Elvis Presley alongside corporate archives and government documents. The facility operates 220 feet underground behind vault doors.

When a company like that appears on a ransomware group's leak site, people pay attention.

What Everest Claims vs. What Iron Mountain Says

The stories don't match. They rarely do in these situations, but the gap here is wider than usual.

Everest's version: The gang posted Iron Mountain to its dark web extortion portal on February 2, complete with folder screenshots as proof-of-access. They claim 1.4 terabytes of internal documents and client data. They set a countdown clock for February 11. The message is standard ransomware-gang boilerplate: pay us or we publish everything.

Iron Mountain's version: A single compromised login credential was used to access one folder on a public-facing file-sharing site. That folder contained "primarily marketing materials" shared with third-party vendors. No customer confidential data was involved. No Iron Mountain systems were breached. No ransomware or malware was deployed. The credential has been deactivated.

Read that again: Iron Mountain says no ransomware was even used. This was credential theft leading to data exfiltration from a third-party platform. Everest didn't break into Iron Mountain's vault. They found an unlocked marketing closet on someone else's property.

If that's true, this is a nothingburger with a scary headline. If it's not true, 95% of the Fortune 1000 has a very bad week ahead.

The February 11 Deadline

Everest set the extortion deadline for February 11, 2026, tomorrow, as of this writing. That's when the countdown clock hits zero and, if past behavior holds, the group starts publishing whatever it actually has.

This is where we find out who's telling the truth.

If Everest dumps 1.4TB of marketing PDFs and vendor pitch decks, Iron Mountain's statement holds up. The incident was minor, the credential was revoked, and the story ends here.

If the dump contains client records (patient files, legal documents, corporate archives, personnel data) then Iron Mountain's public statement was, at best, incomplete. At worst, it was a calculated gamble that Everest was bluffing.

There's a third possibility: Everest never publishes. Maybe they got paid. Maybe the data isn't what they claimed. Ransomware groups bluff too. But Everest has published in nearly every recent case where victims refused to pay. Under Armour's 72 million records went live after they called the bluff.

Everest's 2026 Rampage

Iron Mountain isn't an isolated hit. Everest has been on an absolute tear since late 2025:

  • Under Armour (November 2025, leaked January 18, 2026). 72.7 million customer accounts compromised. Email addresses, names, purchase history, location data, dates of birth. Class action lawsuits filed.
  • Nissan (January 10, 2026). 900GB of dealer information, employee records, and internal documents allegedly stolen. Nissan's fourth major breach in two years.
  • McDonald's India (January 20, 2026). 861GB of customer and internal files claimed.
  • Atlas Air (February 6, 2026). Added to leak site.
  • Iron Mountain (February 2, 2026). 1.4TB claimed.

The group has also claimed hits on ASUS, Chrysler, Iberia Airlines, Petrobras, and Dublin Airport at various points. Since surfacing in 2020, Everest has shifted from traditional ransomware (encrypting systems and demanding payment) to pure data theft and extortion. They skip the encryption entirely. They just steal and threaten to publish.

That shift is important. It means no operational disruption for the victim. No locked systems or downed networks. Just a slow realization that someone walked out with your data and is now selling it to the highest bidder.

Healthcare is Everest's most targeted sector (36 known victims), followed by technology (35) and business services (18). The United States accounts for the majority of targets.

One Password. That's All It Took.

If Iron Mountain's account is accurate, the entire incident came down to a single compromised credential on a third-party file-sharing platform. Not a sophisticated zero-day exploit. Not a supply chain attack. One stolen login.

This is the story of most breaches in 2026. Infostealer malware (tools like RedLine, Lumma, and Vidar) harvests credentials from infected machines and sell them in bulk on dark web marketplaces. A single stolen password can give attackers access to cloud platforms, file-sharing services, and corporate portals without ever touching the target's actual network.

Iron Mountain's core infrastructure wasn't breached. But that distinction matters less than you'd think. If even marketing materials were accessible through a single compromised credential on an external platform, it raises questions about what else might be accessible through similar pathways. How many other third-party platforms hold Iron Mountain data? How many credentials are floating around for those?

The perimeter isn't the firewall anymore. It's every third-party service your employees log into.

What to Watch For

Tomorrow's Deadline

February 11 is D-Day. If Everest publishes, security researchers will immediately analyze the dump. If it's marketing materials, this story is over. If it's client data, buckle up.

Iron Mountain's Client Notifications

Watch for breach notification letters. If Iron Mountain starts notifying clients under state data breach laws, the "just marketing materials" line was wrong. Those notifications have legal requirements and timelines.

SEC Filings

Iron Mountain is publicly traded (NYSE: IRM). If the breach is material, SEC disclosure rules require timely reporting. The absence of an SEC filing supports the "limited impact" claim, for now.

Credential Hygiene

If your company stores records with Iron Mountain, or any records management provider, this is a good time to audit which third-party platforms have access to your data and whether those credentials use MFA. One compromised login shouldn't equal 1.4TB of anything.

The Custodian Problem

Iron Mountain's business model is built on a simple promise: "Your data is safer with us." That promise is the entire value proposition. Nobody stores master recordings in a limestone mine for the aesthetics. They do it because they believe Iron Mountain can protect those assets better than they can.

This incident, even if limited to marketing materials, scratches that trust. It's the same problem we saw with Conduent, the government technology contractor that recently disclosed a breach affecting millions of Americans across multiple state agencies. When you centralize sensitive data from hundreds of organizations into a single custodian, that custodian becomes a single point of failure.

Everest knows this. They didn't target Iron Mountain because they're interested in marketing brochures. They targeted Iron Mountain because the name alone, printed at the top of a leak site, sends a shiver through every Fortune 1000 CISO. The threat is the reputation damage, regardless of what was actually stolen.

And that's the game now. Ransomware groups don't need to actually breach your vault. They just need to convince the world they did. The deadline clock does the rest.

We'll know tomorrow whether Iron Mountain was telling the truth. Set your alarm.

References

  1. Iron Mountain - Official Statement on Cybersecurity Issue (February 2026)
  2. Bleeping Computer - Iron Mountain Data Breach Mostly Limited to Marketing Materials (February 3, 2026)
  3. Cybernews - Hackers Claim 1.4TB Theft from Iron Mountain (February 2026)
  4. TorNews - Ransomware Gang Claims Historic Breach of Iron Mountain (February 2026)
  5. SC Media - Iron Mountain Reports Limited Impact from Everest Gang Breach (February 2026)
  6. UpGuard - Iron Mountain Data Breach Analysis (February 2026)