Multinational food retailer Ahold Delhaize reports that the November 2024 ransomware attack on its U.S. operations resulted in a massive data breach affecting over 2.2 million individuals.
Dutch-Belgian Ahold Delhaize operates over 9,400 stores across North America, Europe, and Indonesia, employing over 393,000 people.
It supplies high-profile brands, such as Food Lion, Giant Food, Hannaford, and Stop & Shop in the U.S., as well as Albert, Alfa Beta, Bol, Delhaize, Gall & Gall, Maxi, Mega Image, and Profi in Europe. It also serves over 60 million customers per week across its brick-and-mortar restaurants and online platforms and reported net sales of over $104 billion in 2024 worldwide.
On November 8, Ahold Delhaize said it had detected “a cybersecurity issue within its U.S. network.” The company responded immediately by taking certain systems offline, engaging external cybersecurity experts, and launching an investigation, for which the results were pending.
“Upon detection last November, we began taking steps to assess and contain the issue, including working with external cybersecurity experts to investigate and secure the affected systems,” Ahold Delhaize said.
The cyber incident disrupted operations in some stores, which struggled to fulfill orders, resulting in a flurry of social media complaints. Several downstream food chains and pharmacies were also affected by Ahold Delhaize’s disruption.
Food retailer Ahold Delhaize’s data breach leaked sensitive information
According to a recent regulatory filing with the Maine Attorney General, Ahold Delhaize USA said that it had determined the data breach had leaked the personal information of 2,242,521 people.
“Based on our investigation, we identified that an unauthorized third party obtained certain files from one of our internal U.S. file repositories between November 5 and 6, 2024,” it said.
While details leaked varied by individual, they included names, postal and email addresses, phone numbers, dates of birth, government-issued IDs, such as Social Security Numbers, driver’s licenses, and passports.
“The information stolen poses a significant threat to the victims, as the information is more than enough to steal identities and be used in future social engineering attacks,” said Erich Kron, a Security Awareness Advocate at KnowBe4. “The fact that it impacts 2.2 million people is an issue as well. Victims need to keep an eye on their credit reports and look out for new lines of credit opened in their name, or better yet, lock the credit reports.”
The data breach also leaked financial details like bank account numbers, health information, and other employment details.
Additionally, the data breach affected Ahold Delhaize’s current and former employees, as well as their family members. However, the food retailer has not disclosed if customers or other entities were affected.
“The disclosure by Ahold Delhaize that last year’s ransomware attack on the supermarket giant has impacted more than 2 million of their global customers is a sobering reminder of the challenges organizations face when safeguarding personal data,” said Semperis director of incident response Jeff Wichman.
Meanwhile, Ahold Delhaize is offering two years of free credit monitoring and identity protection services to affected individuals. The food retailer also advised victims to remain vigilant for any suspicious activity and report promptly to the relevant authorities.
Ahold Delhaize has also promised to implement additional cybersecurity measures to protect its systems from further intrusions.
“We take this issue extremely seriously and will continue to take actions to further protect our systems,” the food retailer stated.
However, Ahold Delhaize has not disclosed whether the data breach involved the deployment of ransomware, despite that fact being apparent. The food retailer also has yet to disclose the attack vector the threat actor exploited to compromise its systems.
INC ransomware group took credit
Nonetheless, the INC ransomware group has taken responsibility for the Ahold Delhaize data breach by listing the food retailer on its data leak site and threatening to leak the stolen information.
“Ransomware gang Inc took credit for the attack, saying it stole 6 TB of data from Ahold Delhaize. Ahold Delhaize has not verified Inc’s claim,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “We do not know if Ahold Delhaize paid a ransom, how much Inc demanded, or how attackers breached the company’s network.”
Active from mid-2023, the INC ransomware gang gains access to organizations via email-based phishing involving a custom exploit kit. Its targets include healthcare, education, and government institutions.
Russian-state backed INC ransomware was behind the attack on Alder Hey children hospital, according to Kron.
“The INC ransomware group may not be the most well-known but has been involved in some other noteworthy attacks in the past, including the Alder Hey children’s hospital attack in Liverpool and the Scottish health board, both in 2024,” he said. “This group is thought to be Russian and may be state sanctioned.”
