Iron Mountain reveals recent Everest cyber breach limited to marketing files

Leading data storage and recovery services company Iron Mountain said that recent cyber incident claimed by the Everest extortion gang was confined to a single folder containing mostly marketing materials and did not involve customer data, ransomware, or broader system compromise.

The company confirmed that attackers used one compromised login credential to access a public-facing file-sharing server that housed marketing content shared with third-party vendors. The company said the credential has been deactivated and no other systems were affected.

The statement follows a claim posted by the Everest cybercrime group on its leak site asserting it had stolen 1.4 terabytes of internal company documents, including personal documents and client information. Iron Mountain said its review found no evidence that confidential or sensitive customer information was involved.

Headquartered in Portsmouth, New Hampshire, Iron Mountain was founded in 1951 and specializes in data centers and records management. The company serves more than 240,000 customers in over 61 countries, including the vast majority of the Fortune 1000.

Iron Mountain said the attackers did not deploy ransomware or malware and that the activity was limited to access of the single folder. The company added that no additional cyber activity was detected beyond the compromised credential.

The Everest group, which emerged in 2020, has shifted in recent years from encrypting systems with ransomware to data-theft-only extortion. The operation is also known for brokering initial access to corporate networks, selling that access to other cybercrime groups.

Over the past five years, Everest has listed hundreds of alleged victims on its leak portal as part of double-extortion schemes that threaten public release of stolen data unless ransoms are paid. In August 2024, the U.S. Department of Health and Human Services warned that the group was increasingly targeting healthcare organizations nationwide.

The Everest operation took its website offline in April 2025 after it was defaced and replaced with a message condemning cybercrime.