2 min read
Ahold Delhaize confirms data breach after ransomware leak
Farah Amod
May 31, 2025 7:15:25 PM

Ahold Delhaize has confirmed a data breach following a cyberattack, after ransomware group INC Ransom leaked internal files and claimed responsibility.
What happened
Ahold Delhaize, the multinational grocery and retail conglomerate, confirmed that sensitive data was stolen from its U.S. business systems following a cyberattack in November 2024. The acknowledgment comes after the ransomware group INC Ransom listed the company on its dark web extortion portal, sharing samples of allegedly stolen internal documents.
A spokesperson for Ahold Delhaize told BleepingComputer that an investigation is still ongoing, but that "certain files were taken from some of our internal U.S. business systems." The company has not confirmed whether ransomware was used in the attack.
Going deeper
Ahold Delhaize operates nearly 8,000 stores globally under brands including Food Lion, Stop & Shop, Giant Food, and Hannaford. With over 410,000 employees and annual revenues nearing $100 billion, the company is a significant presence in both the U.S. and European retail markets.
The incident first came to light on November 8, 2024, when Ahold Delhaize issued a public statement about a cybersecurity incident that forced parts of its IT infrastructure offline. At the time, several pharmacies and e-commerce operations were disrupted as a precautionary measure.
The appearance of the company’s name on INC Ransom’s leak site suggests the breach was part of a broader extortion attempt. While Ahold Delhaize hasn’t confirmed ransomware was involved, INC Ransom has increasingly targeted U.S. organizations, including healthcare providers and, more recently, the State Bar of Texas.
What was said
Ahold Delhaize outlined its commitment to transparency, stating, “If we determine that personal data was impacted, we will notify affected individuals as appropriate.” The company also confirmed that law enforcement agencies have been notified and updated.
Despite the breach, the company says that all stores and online services remain fully operational. “Customers should not face any disruptions,” the spokesperson added.
The big picture
Ahold Delhaize didn’t confirm the breach until after INC Ransom went public, which reflects a growing pattern: ransomware groups are setting the pace, forcing companies to react on their terms. The fact that internal files were taken, and only acknowledged after they were leaked, proves how attackers are using exposure as leverage, turning private systems into public bargaining chips.
FAQs
What kind of data might have been stolen in the Ahold Delhaize breach?
While details remain limited, ransomware groups often target employee records, internal communications, financial documents, and operational data to pressure companies into paying ransoms.
Who is INC Ransom, and how do they typically operate?
INC Ransom is a relatively new ransomware group known for stealing data and threatening public leaks via dark web sites. Their tactics often involve double extortion: encryption and data theft followed by public exposure threats.
Has Ahold Delhaize experienced any previous cybersecurity incidents?
There are no widely reported prior breaches involving Ahold Delhaize, but given the scale of its operations, the company has likely faced frequent attempted intrusions, like most large retailers.
How are companies typically advised to respond to ransomware groups like INC Ransom?
Cybersecurity experts and law enforcement discourage paying ransoms, instead recommending prompt incident disclosure, forensic investigation, system restoration, and ongoing risk assessments.
Could customers or employees be affected even if no personal data has been confirmed as stolen?
Yes, even without confirmation, there's a risk that stolen internal data could indirectly expose customer or employee information, making ongoing monitoring and updates necessary.