Ahold Delhaize Acknowledges Data Breach Affecting 2.2 Million Amid INC Ransomware Allegations

A data breach at Ahold Delhaize USA Services, LLC, which supports the prominent East Coast grocery retailer Ahold Delhaize USA, has compromised the personal information of over 2.2 million individuals, including more than 95,000 residents of Maine.

The breach, attributed to unauthorized access to Ahold Delhaize’s internal business systems, occurred between November 5 and 6, 2024. This incident involved the theft of sensitive personal, financial, and health-related information, primarily impacting current and former employees.

Ahold Delhaize USA is a major player in the grocery industry, operating well-known brands such as Food Lion, Giant Food, Hannaford, and Stop & Shop. In response to the breach, the company has begun notifying affected individuals and is offering two years of complimentary credit monitoring and identity protection services. A dedicated help desk has also been implemented to address any inquiries from the impacted parties.

Details of the Cyberattack

Ahold Delhaize USA Services identified the cybersecurity breach on November 6, 2024, and promptly initiated an investigation in collaboration with leading cybersecurity experts, alongside coordination with U.S. federal law enforcement agencies. The investigation revealed that an unauthorized third party accessed and extracted files from an internal U.S. file repository. In an effort to manage the incident, the company momentarily took some systems offline, which resulted in temporary disruptions to online orders and pharmacy services; however, functionality was soon restored.

The compromised data included a wide range of personal information, as outlined in a breach notification submitted to the Maine Attorney General. This data encompassed names, contact details, dates of birth, government-issued identification numbers such as Social Security numbers, passport numbers, and driver’s license information. Financial records, including bank account details, were also exposed.

Furthermore, health-related information, specifically pertaining to workers’ compensation cases and medical records tied to employment histories, was also compromised. Ahold Delhaize indicated that many affected associates might have worked for various subsidiaries operating in the Netherlands, specifically those on payroll in April 2021.

According to the company, there is “no indication that customer payment or pharmacy systems were compromised,” confirming that no customer credit card numbers were included in the affected data, suggesting that the attack was primarily focused on employee-related data.

Ransomware Group Claims Responsibility

On April 16, 2025, the INC ransomware group publicly claimed responsibility for the breach through their dark web leak platform, threatening to release the stolen data in full after providing samples. Active since mid-2023, the group typically employs phishing emails and exploit kits to gain system access while avoiding attacks within Russia, which potentially indicates their operational base.

Ahold Delhaize confirmed on April 17, 2025, the theft of data and began a thorough review of the affected files to determine the specific personal information at risk. This complex investigation has spanned seven months, revealing affected individuals in the U.S. and uncovering additional employment data from the Netherlands, further underscoring the intricacies involved in responding to such cyber incidents.

Experts note that this breach marks one of the most significant data compromises following a ransomware attack within the food and beverage sector. Since tracking ransomware incidents began in 2018, this event at Ahold Delhaize stands out as the largest breach based on the number of records affected. Typically, breaches in this sector have targeted system encryption; however, this incident reflects a disturbing shift towards data theft as a primary tactic among ransomware entities.

As the landscape of cyber threats continues to evolve, businesses must remain vigilant. The tactics likely employed during this attack, according to the MITRE ATT&CK framework, include initial access methods, privilege escalation, and data exfiltration techniques, which further underline the need for robust cybersecurity measures.

Source