Strategic Retail Partners yesterday confirmed it notified an undisclosed number of people about a February 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- State-issued ID numbers (e.g. driver’s license)
- Financial account info
In February, ransomware gang Medusa took credit for stealing 1.35 TB of data from Strategic Retail Partners and demanded a $1.2 million ransom. In March, Medusa claimed it hacked the company again and demanded a second $1 million ransom.
“They refused to pay us with poor security remaining and we have hacked & locked them again!” says Medusa in the second breach claim posted to its data leak site.
Strategic Retail Partners only publicly acknowledged one breach in February 2025 and has not verified any of Medusa’s claims. We do not know how many people had their data compromised, if SRP paid a ransom, or how attackers breached SRP’s network. Comparitech contacted SRP for comment and will update this article if it replies.
“On February 6, 2025, Strategic Retail Partners (‘SRP’) became aware of suspicious activity on the SRP computer network,” says SRP’s notice to victims. “The investigation determined that there was unauthorized access to SRP’s network between February 3, 2025 and February 6, 2025, and during that period of unauthorized access, certain information stored within SRP’s network was accessed and/or copied without permission.”
SRP is offering eligible victims 12 months of free credit monitoring through Cyberscout. The deadline to enroll is 90 days from receipt of the notice letter.
Who is Medusa?
Medusa first appeared in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa both locks down computer systems and steals data, forcing infected organizations to pay a ransom to restore systems and to not publish stolen data. The gang operates a ransomware-as-a-service scheme in which customers pay to use Medusa’s malware and infrastructure to launch attacks and collect ransoms.
Medusa has taken credit for 25 confirmed ransomware attacks in 2025 to date, plus 99 unconfirmed claims that haven’t been acknowledged by the targeted companies. Its average ransom demand is $320,000.
The attack on SRP is Medusa’s first on a retail company. The group’s other most recent victims include the Caribbean Industrial Research Institute in Trinidad and Tobago and Indian manufacturer L.G. Balakrishnan & Bros. Medusa demanded $100,000 and $600,000 from those companies, respectively, in September.
Ransomware attacks on US retail
Comparitech researchers have logged 17 confirmed ransomware attacks on US retailers in 2025 to date, compromising 110,300 records. We’re tracking a further 162 unconfirmed attack claims made by ransomware gangs that haven’t been acknowledged by the targeted retailers.
Some other recent such attacks include:
- AP Air is notifying victims of a July 2025 data breach claimed by Akira
- Belkorp Ag is notifying victims of an April 2025 data breach claimed by Team XXX
- Main Electric Supply Company is notifying 2,056 people of a July 2025 data breach claimed by Sinobi
Ransomware attacks on retailers can both steal data and lock down computer systems, disrupting day-to-day businesses such as logistics, communications, accounting, and more. Retailers must either pay a ransom to restore systems and secure stolen data, or else they face extended downtime, permanent data loss, and putting data subjects an increased risk of fraud.
About Strategic Retail Partners
Formerly Solaray, Strategic Retail Partners is a distributor of in-store merchandise at more than 70,000 stores mostly in North America. Since its founding in 1969 as a sunglasses distributor, it has acquired several merchandise brands including PUGS sunglasses, Celltronix electronics, Clouds travel accessories, and Fiesta plush toys.
