Full Report
The INC ransomware gang claimed it was behind the cyberattack, which limited operations last November at some of the company's 2,000 stores across the U.S.
Analysis Summary
# Incident Report: Ahold Delhaize USA Cybersecurity Incident (INC Ransomware)
## Executive Summary
A major cyberattack, attributed to the INC ransomware gang, occurred in the fall of 2024 against Ahold Delhaize USA, the parent company of several large supermarket chains. The incident resulted in business disruption, including outages of online ordering and website services, and the confirmed exfiltration of internal business data. The response efforts contained the immediate business impact, and the investigation into the scope of the data compromise is ongoing.
## Incident Details
- Discovery Date: Early November 2024 (Based on service disruptions)
- Incident Date: November 8, 2024 (Approximate date of major impact reported)
- Affected Organization: Ahold Delhaize USA (Parent company of Stop & Shop, Hannaford, Food Lion, Giant Food)
- Sector: Retail/Grocery
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Prior to November 8, 2024 (Attack occurred "last fall")
- Vector: Not explicitly detailed in the provided text, but consistent with typical ransomware attacks.
- Details: Attack led by the INC ransomware gang.
### Lateral Movement
- Details: Attackers gained access to "internal U.S. business systems" and exfiltrated data. Specific lateral movement techniques are not disclosed.
### Data Exfiltration/Impact
- Date/Time: During the incident period (Fall 2024)
- Details: Hackers stole files from internal U.S. business systems. The INC group claimed to have stolen **six terabytes (6 TB)** of information. Operational impact included shoppers being unable to place grocery delivery orders and supermarket websites going offline.
### Detection & Response
- Date/Time: Services impacted in early November 2024. Investigation confirmed data theft later.
- Details: The company's "cyber-defense capabilities and response protocols" mitigated the worst of the business impact. The investigation is ongoing with external cybersecurity experts, and law enforcement was notified.
## Attack Methodology
- Initial Access: Unknown (Implied via common ransomware vector)
- Persistence: Not disclosed.
- Privilege Escalation: Not disclosed.
- Defense Evasion: Not disclosed, though the group is known for targeting large organizations.
- Credential Access: Not explicitly detailed.
- Discovery: Not disclosed.
- Lateral Movement: Gained access to "internal U.S. business systems."
- Collection: Gathered "six terabytes of information" from internal systems.
- Exfiltration: Confirmed data theft occurred.
- Impact: Operational disruption (website/delivery outages) and data theft.
## Impact Assessment
- Financial: Not quantified, but implied substantial due to operational disruption across thousands of stores and the breach of a company with $24B+ in annual sales.
- Data Breach: Confirmation of stolen files from internal U.S. business systems; threat actor claims 6TB of data stolen. Ahold Delhaize stated they will notify individuals if personal data is confirmed impacted.
- Operational: Significant disruption to online grocery ordering and supermarket brand websites in early November.
- Reputational: Public confirmation of a significant data breach affecting major U.S. supermarket brands.
## Indicators of Compromise
- **Network Indicators (Defanged):** None specified.
- **File Indicators:** None specified.
- **Behavioral Indicators:** Adoption and deployment of INC ransomware encryption/tools.
## Response Actions
- **Containment measures:** Cyber-defense capabilities and response protocols were utilized to mitigate immediate business impact.
- **Eradication steps:** External cybersecurity experts are assisting with the ongoing investigation (steps not detailed).
- **Recovery actions:** Business operations (e.g., delivery and websites) were restored. Notification procedures are in place should personal data be confirmed compromised.
## Lessons Learned
- The incident highlights the significant persistent threat posed by well-established ransomware groups like INC (which experts link to the newer Lynx strain).
- The company's existing response protocols were effective in mitigating the worst *business* impact, despite data loss.
## Recommendations
- Enhance proactive threat hunting tailored to known INC/Lynx TTPs identified by security vendors.
- Review and test offline backups and disaster recovery plans, focusing specifically on rapid restoration of customer-facing digital services.
- Conduct immediate forensic analysis to definitively determine the scope of PII/PHI exposure resulting from the exfiltration of 6TB of data.