The food retail giant says a November ransomware attack led to the theft of employee-related personal, financial, and health information.
What happened
Ahold Delhaize, one of the world’s largest food retail chains, has confirmed that a ransomware attack on its U.S. systems in November 2024 compromised the data of over 2.2 million individuals. A filing with Maine’s Attorney General revealed that the attackers accessed internal business systems on November 6 and stole documents containing personal, financial, medical, and employment-related information.
The company has begun notifying those affected, stating that the breach impacted several Ahold Delhaize USA brands and services, including pharmacies and e-commerce operations. According to the company's investigation, the breach does not appear to involve customer payment or pharmacy systems.
Going deeper
The compromised data varies by individual and may include:
- Names, contact details, and dates of birth
- Government-issued ID numbers such as Social Security, passport, or driver’s license numbers
- Bank account details
- Workers’ compensation records and other employment-related health information
- Employment history and HR documentation
The breach is suspected to be linked to the ransomware group INC Ransom, which posted Ahold Delhaize on its leak site in April 2025 and published samples of allegedly stolen documents. The company has not officially confirmed INC Ransom’s involvement, nor has it commented on whether any systems were encrypted or if a ransom was paid.
What was said
A spokesperson for Ahold Delhaize told BleepingComputer that the investigation found no signs of compromised customer payment systems and no customer credit card data in the stolen files. However, they declined to confirm the identity of the attackers or whether the company had any communication with them.
The ransomware group INC Ransom, active since July 2023, operates a ransomware-as-a-service (RaaS) model and has previously targeted public and private organizations, including Scotland’s NHS and the State Bar of Texas.
FAQs
Why was Ahold Delhaize likely targeted?
As a multinational company with extensive U.S. operations and sensitive employee data, Ahold Delhaize presents an attractive target for ransomware groups looking for high-impact extortion opportunities.
What is ransomware-as-a-service (RaaS)?
RaaS is a business model where ransomware developers lease their malware to affiliates, who carry out attacks in exchange for a share of the ransom payments.
How does INC Ransom typically operate?
INC Ransom uses double extortion tactics—encrypting systems while simultaneously stealing data and threatening to leak it publicly if the ransom is not paid.
Are employees entitled to credit monitoring after a breach like this?
In many cases, affected individuals are offered credit monitoring and identity protection services, though it depends on company policy and regulatory guidance.
What should impacted individuals do next?
Those notified should monitor their financial accounts, consider placing fraud alerts with credit bureaus, and be cautious of phishing emails that reference leaked personal details.
Farah Amod
