Retail giant Ahold Delhaize says data breach affects 2.2 million people

Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.

The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.

It has reported yearly net sales of over $104 billion last year and it operates under a wide range of brands, including Food Lion, Stop & Shop, Giant Food, and Hannaford in the American market, and Delhaize, Maxi, Mega Image, Albert, bol, Alfa Beta, Gall & Gall, and Profi in Europe.

“This issue and subsequent mitigating actions have affected certain Ahold Delhaize USA brands and services including a number of pharmacies and certain e-commerce operations,” said Ahold Delhaize in November, when it disclosed the incident.

In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.

While it didn’t confirm whether customers’ information was also affected, Ahold Delhaize stated that the stolen files may have included internal employment records with personal information obtained while working with current and former Ahold Delhaize USA companies.

The company added that the stolen items vary for each affected individual and that the stolen documents contain a combination of:

• personal information such as name, contact information (e.g., postal and email address and telephone number), date of birth, government-issued identification numbers (e.g., Social Security, passport, and driver’s license numbers),
• financial account information (e.g., bank account number),
• health information (e.g., workers’ compensation information and medical information contained in employment records),
• and employment-related information.

Although the company has yet to name the cybercrime group behind the breach, the INC Ransom ransomware group added Ahold Delhaize to its dark web extortion portal in April, leaking samples of documents allegedly stolen from the company’s compromised systems.

​When asked to confirm that INC Ransom was behind the attack, Ahold Delhaize told BleepingComputer in April that attackers had stolen data from its U.S. business systems but didn’t comment on whether the ransomware gang was involved in the breach.

​INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023 and has since targeted organizations in both the public and private sectors.

Its list of more than 250 victims claimed over the last two years includes government, healthcare, educational, and industrial entities, such as Scotland’s National Health Service (NHS), Yamaha Motor Philippines, and the U.S. division of Xerox Business Solutions (XBS).

In April, the ransomware gang also claimed responsibility for an attack on the State Bar of Texas, which later warned over 100,000 members that hackers had stolen their sensitive data.

INC Ransom has recently shifted its focus to organizations in the United States, with one of its members, tracked by Microsoft as ‘Vanilla Tempest,’ specifically targeting U.S. healthcare providers.