Full Report
Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024. The company shared an update on Thursday, revealing that hackers managed to extract files from internal business systems connected to the earlier security breach. "Based on our investigation to date, we believe certain files were taken from some of our internal U.S. business systems in connection with the prior cybersecurity issue," read the company's statement. Ahold Delhaize USA operates over 2,000 grocery stores across the country, including major names like Stop & Shop, Food Lion, Giant Food, and Hannaford. In November 2024, the company reported disruptions that impacted online grocery ordering and caused temporary website outages for some of its supermarket chains. The company acted quickly at that time to restore its operations. “Our teams have been working diligently to determine what information may have been affected,” the company stated in its latest update. Ongoing Investigation of Ahold Delhaize USA Reveals Data Theft The Ahold Delhaize cyberattack has now been linked to the theft of certain files from internal U.S. business systems. While Ahold Delhaize USA did not detail exactly what kind of data was taken, it has assured that its teams are working hard to determine what information may have been affected. “We will notify affected individuals in accordance with our legal obligations,” the company said. Law enforcement agencies have also been informed and updated about the development. The company emphasized that protecting the information of its customers, employees, and vendors remains a top priority. INC Ransom Gang Takes Responsibility The INC Ransom gang has come forward, claiming responsibility for the cyberattack on Ahold Delhaize. In a post made earlier this week, the cybercriminal group claimed it stole six terabytes of data from Ahold Delhaize USA. As of this writing, The Cyber Express has reached out to Ahold Delhaize for further clarification regarding this claim, but the company has not responded. Who is INC Ransom? According to cybersecurity researchers at Cyble, INC Ransom (also known by the alias GOLD IONIC) is a highly active ransomware and extortion group. The group has been operating since at least July 2023 and has targeted a broad spectrum of industries worldwide, including healthcare, education, government, and now retail. INC Ransom is known for its advanced attack methods, often using multiple tools and malware families to infiltrate systems and steal data. These include: AdFind – A tool used to gather information from Active Directory environments PsExec – A command-line tool used to execute processes on remote systems Rclone – A command-line program used to manage files on cloud storage platforms The group’s reach is global, with confirmed attacks in countries such as the United States, the United Kingdom, Australia, France, Germany, Italy, the Philippines, and many more. A Series of Global Cyberattacks The Ahold Delhaize USA cyberattack is not the first major attack claimed by INC Ransom. In June 2024, the group was allegedly behind a cyberattack on ControlNET LLC, a U.S.-based provider of building technology solutions. ControlNET specializes in HVAC, lighting, video surveillance, access control, and power systems. In that case, the ransomware group not only claimed to have gained access to the company’s network but also released sensitive information to back their claims. The leaked data included: Invoice records Building floor plans Internal email communications Sample project folders involving ControlNET’s clients INC Ransom also claimed to have targeted Rockford Public Schools as part of the same attack vector, suggesting a potential supply chain risk. Why This Matters Cyberattacks like these are a growing concern for companies and consumers alike. For organizations such as Ahold Delhaize USA, which rely on technology to manage inventory, process payments, and offer online services, even a short disruption can cause significant operational and financial harm. When customer or employee data is involved, the risks extend far beyond temporary inconvenience. Leaked data can include sensitive personal information that could be used in phishing scams, identity theft, or even targeted attacks on individuals and other companies. The fact that INC Ransom claims to have stolen six terabytes of data is alarming. While Ahold Delhaize USA has not confirmed the volume or nature of the stolen information, such a large quantity could potentially include anything from employee records and vendor contracts to internal communications and system configurations. What Consumers Should Do If you shop at Stop & Shop, Hannaford, Food Lion, or Giant Food, keep an eye out for communications from the company. If your data was involved, you should receive an official notice with next steps. In the meantime, customers are advised to: Monitor their email and bank accounts for unusual activity Be cautious of phishing attempts pretending to be from Ahold Delhaize or its supermarket brands Change passwords for online accounts related to grocery shopping, especially if the same password is used elsewhere As ransomware groups like INC Ransom continue to adapt and strike globally, companies must prioritize cybersecurity at every level—from their internal systems to vendor relationships and beyond.
Analysis Summary
# Incident Report: Ahold Delhaize USA Data Theft (Fall 2024)
## Executive Summary
Ahold Delhaize USA was impacted by a cyberattack in the Fall of 2024, resulting in a confirmed data breach. The threat actor, identified as INC Ransom, claimed to have stolen six terabytes of data. The incident highlights the critical need for enhanced cybersecurity across retail operations and vendor relationships to protect sensitive information.
## Incident Details
- **Discovery Date:** Not explicitly stated (Implied detection occurred leading up to the April 21, 2025 reporting date regarding confirmed data theft).
- **Incident Date:** Fall 2024
- **Affected Organization:** Ahold Delhaize USA (Brands mentioned include Stop & Shop, Hannaford, Food Lion, and Giant Food)
- **Sector:** Retail/Grocery
- **Geography:** USA
## Timeline of Events
### Initial Access
- **Date/Time:** Fall 2024 (Specifics unknown)
- **Vector:** Not explicitly detailed in the provided text, though the incident resulted in a ransomware/data extortion event.
- **Details:** Attackers successfully breached the environment.
### Lateral Movement
- **Details:** Not specified in the provided text.
### Data Exfiltration/Impact
- **Details:** INC Ransom claimed to have stolen six terabytes (6 TB) of data. Ahold Delhaize USA confirmed data was stolen, though the volume and nature were not officially disclosed by the company. Potential data includes employee records, vendor contracts, internal communications, and system configurations.
### Detection & Response
- **How it was discovered:** Not specified.
- **Response actions taken:** The company confirmed the data theft and likely initiated standard incident response procedures, including notifying affected parties (as advised in the text).
## Attack Methodology
- **Initial Access:** Unknown.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Successful exfiltration of up to 6 TB of data (claimed by threat actor).
- **Exfiltration:** Data was successfully exfiltrated prior to disclosure.
- **Impact:** Data theft leading to potential exposure of sensitive corporate and customer/employee information.
## Impact Assessment
- **Financial:** Potential operational and financial harm due to disruption or recovery costs (implied).
- **Data Breach:** Up to 6 TB of data claimed stolen. Potential data includes employee records, vendor contracts, internal communications, and system configurations.
- **Operational:** Potential short disruption to inventory management, payment processing, and online services.
- **Reputational:** Negative impact due to the confirmed data theft involving major supermarket brands.
## Indicators of Compromise
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Presence of the threat actor **INC Ransom** associated with the exfiltration.
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified (Consumers advised to monitor accounts and change passwords).
## Lessons Learned
- **Key takeaways:** Large-scale data breaches remain a significant threat to major retail entities relying heavily on technology.
- **What could have been done better:** The need for robust cybersecurity across internal systems and vendor relationships was underscored by the incident.
## Recommendations
- **Prevention measures for similar incidents:** Enhance cybersecurity across all levels of the organization, review and strengthen internal systems protecting sensitive data, and validate security posture across the supply chain/vendor relationships. Consumers should immediately monitor communications and financial accounts and be vigilant against related phishing attempts.