Ahold Delhaize confirms data stolen after threat group claims credit for November attack

Ahold Delhaize confirmed Thursday that certain files from its U.S. operations were stolen in a November cyberattack after a threat group claimed credit for the incident.

The threat group, tracked as Inc Ransom, claimed in a Wednesday post on its leak site to have up to 6 TB of sensitive data from the Netherlands-based supermarket operator’s U.S. division and threatened to release the information if its demands are not met, according to researchers at Arctic Wolf. The attackers have not said what those demands are.

“Since the incident was detected, our teams have been working diligently to determine what information may have been affected,” Ahold Delhaize USA said in a statement.

Ahold Delhaize added that it is working with outside forensics experts to confirm what information was taken and will disclose that information to affected individuals in accordance with legal obligations. The company said it has also notified and updated law enforcement on the matter. 

The attack disrupted e-commerce operations at Ahold Delhaize USA’s Hannaford banner and also impacted certain pharmacy and e-commerce operations elsewhere in the U.S. Ahold Delhaize’s U.S. business includes Giant Food, Stop & Shop, Food Lion and The Giant Company in addition to Hannaford.

Hannaford, which runs nearly 200 supermarkets in four Northeastern states, was forced to halt pickup and delivery orders for several days because of the incident, which it described at the time as a “cybersecurity issue.”

The grocer indicated that its physical stores remained open despite the incident, with most accepting all major payment methods, including credit cards.

Ahold Delhaize USA temporarily took some systems offline in response to the attack “to help protect them,” the company said in a Nov. 8 statement.

Hannaford’s website displayed a message that said it was dealing with “technical issues with our servers.” The company’s other U.S. grocery banners’ websites appeared to remain operational, but all carried an identical note that said users might experience disruptions and reduced availability for e-commerce services because of “system outages.”

Ahold Delhaize’s Thursday disclosure that it had suffered a data breach comes about a week after the company confirmed that Ann Dozier had been onboarded as the chief information officer of the U.S. business. 

Dozier, who was hired in February, previously was SVP and chief information and technology officer at Southern Glazer’s Wine and Spirits. 

Inc Ransom has been active since mid-2023, and is still considered an active threat actor, according to Arctic Wolf researchers. The group is linked to attack claims against other food-related companies in recent months and was also connected to an attack against a subsidiary of Xerox last year.

In mid-2024 the codebase of Inc Ransom was listed for sale on underground markets, according to Arctic Wolf. A separate group tracked as Lynx later emerged as an active threat actor, according to researchers