Ahold Delhaize has confirmed a data breach following a cyberattack, after ransomware group INC Ransom leaked internal files and claimed responsibility.
Ahold Delhaize, the multinational grocery and retail conglomerate, confirmed that sensitive data was stolen from its U.S. business systems following a cyberattack in November 2024. The acknowledgment comes after the ransomware group INC Ransom listed the company on its dark web extortion portal, sharing samples of allegedly stolen internal documents.
A spokesperson for Ahold Delhaize told BleepingComputer that an investigation is still ongoing, but that "certain files were taken from some of our internal U.S. business systems." The company has not confirmed whether ransomware was used in the attack.
Ahold Delhaize operates nearly 8,000 stores globally under brands including Food Lion, Stop & Shop, Giant Food, and Hannaford. With over 410,000 employees and annual revenues nearing $100 billion, the company is a significant presence in both the U.S. and European retail markets.
The incident first came to light on November 8, 2024, when Ahold Delhaize issued a public statement about a cybersecurity incident that forced parts of its IT infrastructure offline. At the time, several pharmacies and e-commerce operations were disrupted as a precautionary measure.
The appearance of the company’s name on INC Ransom’s leak site suggests the breach was part of a broader extortion attempt. While Ahold Delhaize hasn’t confirmed ransomware was involved, INC Ransom has increasingly targeted U.S. organizations, including healthcare providers and, more recently, the State Bar of Texas.
Ahold Delhaize outlined its commitment to transparency, stating, “If we determine that personal data was impacted, we will notify affected individuals as appropriate.” The company also confirmed that law enforcement agencies have been notified and updated.
Despite the breach, the company says that all stores and online services remain fully operational. “Customers should not face any disruptions,” the spokesperson added.
Ahold Delhaize didn’t confirm the breach until after INC Ransom went public, which reflects a growing pattern: ransomware groups are setting the pace, forcing companies to react on their terms. The fact that internal files were taken, and only acknowledged after they were leaked, proves how attackers are using exposure as leverage, turning private systems into public bargaining chips.
While details remain limited, ransomware groups often target employee records, internal communications, financial documents, and operational data to pressure companies into paying ransoms.
INC Ransom is a relatively new ransomware group known for stealing data and threatening public leaks via dark web sites. Their tactics often involve double extortion: encryption and data theft followed by public exposure threats.
There are no widely reported prior breaches involving Ahold Delhaize, but given the scale of its operations, the company has likely faced frequent attempted intrusions, like most large retailers.
Cybersecurity experts and law enforcement discourage paying ransoms, instead recommending prompt incident disclosure, forensic investigation, system restoration, and ongoing risk assessments.
Yes, even without confirmation, there's a risk that stolen internal data could indirectly expose customer or employee information, making ongoing monitoring and updates necessary.