A US-based records management company is investigating reports that a criminal actor claims to have accessed internal systems and sensitive customer data, according to security researchers tracking alleged breaches of corporate networks. The incident involves Iron Mountain Incorporated, which provides data storage, information management, and secure shredding services to government, business, and healthcare clients. Cybercrime monitoring services listed the organisation on a dark web leak site on February 5, 2026, saying that stolen files include internal and customer information.
The data posted on the leak platform was attributed to an unknown threat actor who said it included more than 5 GB of compressed files stolen from Iron Mountain systems. The list of alleged files circulated online includes folders reportedly tied to internal documentation, contracts, and administrative records. Security researchers stress that listings on dark websites often cannot be independently verified and may contain fabricated claims intended to pressure organisations into paying ransoms or drawing attention without proof of access.
Iron Mountain said in a statement that it has seen published claims about a potential breach of its systems, but that company teams have not confirmed any compromise of its infrastructure, customer systems, or data. The organisation said it is investigating the matter with external cybersecurity specialists and continuing ongoing monitoring of its networks. Iron Mountain added that it does not believe there has been an impact on customer environments or operations.
The company operates a range of data protection services, including physical records storage, secure data destruction, cloud backup solutions, and digital information management tools. It serves clients across sectors that include healthcare, legal, and government, many of which handle regulated or sensitive personal information.
Cybersecurity analysts noted that criminal actors often publish unverified claims of exfiltrated data and include snippets of common file names or generic document types to make posts appear credible. Independent researchers and incident response professionals caution that published data breach claims should be scrutinised until an organisation confirms whether systems were accessed and what information may have been affected.
There has been no public disclosure of victim notifications or regulatory filings tied to Iron Mountain in relation to the alleged incident as of early February 2026. Authorities have not reported involvement in the matter, and the company’s investigation is ongoing. Iron Mountain said it will provide updates if further evidence of a confirmed breach emerges.