Ahold Delhaize, one of the world’s largest food retailers and owner of major U.S. grocery brands like Food Lion, Stop & Shop, Giant Food, and Hannaford, has confirmed a significant data breach affecting more than 2.2 million individuals. The breach is linked to a ransomware attack that targeted the company’s U.S. operations in early November 2024 and has been attributed to the INC Ransom ransomware group, which publicly claimed responsibility in April 2025.
Key Details of the Breach
The breach primarily compromised internal employment records belonging to current and former employees of Ahold Delhaize USA companies. In Maine alone, over 95,000 individuals were affected, with the total number exceeding 2.2 million nationwide. The stolen information varies by individual, but may include:
• Full names and contact details
• Dates of birth
• Government-issued identification numbers (including Social Security numbers, passport numbers, and driver’s license numbers)
• Bank account and other financial information
• Health and workers’ compensation data
• Employment-related records
Ahold Delhaize stated there is no indication that customer credit card numbers or pharmacy data were exposed. The breach appears limited to employment-related information.
Incident Timeline and Response
The breach was detected on November 6, 2024, after unauthorized access to internal U.S. business systems was discovered. The company quickly engaged external cybersecurity experts, took affected systems offline to contain the threat, and notified law enforcement. Some stores experienced temporary disruptions, including delays in pharmacy and delivery services, but these were soon resolved.
Impacted individuals are being notified and offered two years of free credit monitoring and identity protection services through Experian. A help desk has been established for affected employees.
Threat Actor: INC Ransom
INC Ransom is a ransomware-as-a-service operation known for double extortion tactics—stealing sensitive data and threatening to publish it unless a ransom is paid. They have targeted organizations across healthcare, education, government, and industry, with a growing focus on U.S. entities. The group typically exploits software vulnerabilities and uses phishing to gain initial access, followed by lateral movement and data exfiltration. INC Ransom listed Ahold Delhaize on its extortion site and published samples of stolen documents, increasing the pressure on the company.
Industry Significance
This is one of the largest ransomware-related data breaches in the food and beverage sector, with the number of records compromised far exceeding the industry average for such incidents. The breach has prompted investigations and potential class action lawsuits, highlighting the critical importance of robust cybersecurity measures in the retail sector.
