Belgian-Dutch supermarket operator Ahold Delhaize has revealed that the personal data of over two million individuals was compromised in a November 2024 ransomware attack on the systems of its US operations.
In a filing made this week at the office of the attorney general for the US state of Maine, the organisation said that 2,242,521 people in total had been affected.
In a letter to impacted individuals signed by Ahold Delhaize’s US legal affairs vice president, Dyana Tull, the organisation said that the stolen data included names, contact details, dates of birth, Social Security, passport and driving licence details, financial account information, and employee data related to compensation and occupational health.
“Upon detection last November, we began taking steps to assess and contain the issue, including working with external cyber security experts to investigate and secure the affected systems,” wrote Tull.
“We take this issue extremely seriously and will continue to take actions to further protect our systems…. We regret any inconvenience this issue may cause for you.”
As has become customary following such breaches, Ahold Delhaize is offering those affected a year’s worth of free identity protection and credit monitoring via Experian, which can be taken up until the end of September.
Following the incident last year saw the INC Ransom crew claimed to have stolen six terabytes of data from Ahold Delhaize, which besides the Food Lion and Giant supermarket chains in the US, operates the eponymous Albert Heijn and Delhaize chains in the Benelux region, as well as stores in Indonesia, Romania and Serbia.
In April 2025, it also emerged that data on Dutch employees who were on the company payroll in April 2021 had also been compromised.
The cyber attack also caused disruption for customers at some of Ahold Delhaize’s US operations, notably its Food Lion and Hannaford chains, when the company was forced to shut down key online commerce systems.
“Affected users should be vigilant for signs of identity theft and phishing attempts. The stolen information can be used for social engineering attacks, as attackers can pose as legitimate representatives of financial institutions, healthcare providers, or government agencies,” said Boris Cipot, senior security engineer at Black Duck, an application security specialist.
“To mitigate potential harm, users should notify relevant institutions about the breach, such as their bank, healthcare provider, employer, or government agencies. These institutions can provide guidance on next steps to protect against further exposure, monitor credit status, and prevent identity theft,” he said.
Who are INC Ransom?
INC Ransom, the cyber criminal gang that claims this particular attack, has been active for approximately two years.
It targets organisations primarily in Europe and the US, and has had a particular focus on the education, healthcare and industrial sectors.
In the UK specifically, it appears to have been behind attacks on Alder Hey Childrens NHS Foundation Trust and Liverpool Heart and Chest Hospital NHS Foundation Trust, and NHS Dumfries and Galloway.
According to analysts at SentinelOne, the gang works to a fairly typical playbook where it tries to present itself not as a criminal operation but as a service provider offering victims the chance to both ‘save their reputation’ and make their IT systems ‘more secure’.
It uses a variety of initial access methods such as targeted spear phishing emails, and has also been known to exploit vulnerabilities in Citrix products.
Its locker malware uses AES-256 encryption in cipher block chaining (CBC) mode and will terminate open processes in order to encrypt open files, as well as targeting backups for deletion.
