Ahold Delhaize Reports Data Breach Impacting 2.2 Million Individuals

Ahold Delhaize, a prominent global food retail chain, has alerted over 2.2 million individuals regarding the unauthorized access and theft of their personal, financial, and health information due to a ransomware attack that targeted its U.S. systems in November.

Operating over 9,400 stores primarily across Europe, the United States, and Indonesia, Ahold Delhaize employs more than 393,000 people and serves approximately 60 million customers weekly both in-store and online. In the previous fiscal year, the company reported net sales exceeding $104 billion. Its diverse portfolio includes well-known brands such as Food Lion, Stop & Shop, Giant Food, and Hannaford in the United States, as well as Delhaize, Maxi, Mega Image, Albert, bol, Alfa Beta, Gall & Gall, and Profi in Europe.

The company disclosed in November that the ransomware incident impacted several of its brands and services in the U.S., including certain pharmacy operations and aspects of its e-commerce platforms. In a recent filing with Maine’s Attorney General, Ahold Delhaize confirmed that the cyberattack on November 6, 2024, resulted in the theft of data belonging to 2,242,521 individuals.

Although the organization did not clarify whether customer data was compromised, it acknowledged that the stolen information may encompass internal employment records containing personal data of current and former employees of Ahold Delhaize USA. The nature of the stolen data varies among individuals but encompasses a range of sensitive information, including:

• Personal details such as names, contact information (postal and email addresses, phone numbers), dates of birth, and government-issued identification numbers (e.g., Social Security, passport, and driver’s license numbers).
• Financial account details (e.g., bank account numbers).
• Health information, including workers’ compensation and other medical information associated with employment records.
• Employment-related information.

The identity of the cybercriminal group responsible for the breach has not been disclosed. However, the INC Ransom ransomware group listed Ahold Delhaize on its dark web extortion portal in April, allegedly leaking samples of documents taken during the attack.

When approached for confirmation regarding INC Ransom’s involvement, Ahold Delhaize acknowledged that unauthorized access was obtained to its U.S. business systems, but refrained from commenting on the specific roles of the ransomware group.

INC Ransom is identified as a ransomware-as-a-service (RaaS) operation that emerged in July 2023 and has since executed attacks on both public and private sector organizations. Its extensive list of over 250 victims includes various government, healthcare, educational, and industrial entities, such as Scotland’s National Health Service (NHS), Yamaha Motor Philippines, and Xerox Business Solutions in the United States.

In April, the gang also announced responsibility for an attack against the State Bar of Texas, cautioning over 100,000 members about the theft of sensitive personal data.

The focus of INC Ransom has increasingly shifted towards organizations within the United States, particularly targeting U.S. healthcare providers through a group member identified by Microsoft as “Vanilla Tempest.”