Full Report
The Dutch conglomerate behind Hannaford, Stop & Shop and other major grocery brands informed state regulators of the scope of a November cyberattack that hampered online orders and leaked sensitive data.
Analysis Summary
# Incident Report: Ahold Delhaize Data Breach via Ransomware Attack
## Executive Summary
In November 2024, Ahold Delhaize, the Dutch parent company of major US grocery chains, suffered a cyberattack attributed to the INC ransomware gang, resulting in the exfiltration of sensitive employment data belonging to over 2.2 million individuals. The initial compromise occurred just before detection on November 5th, leading to significant operational disruptions, including the outage of online grocery delivery services. The company responded by launching an investigation and notifying affected parties, offering credit monitoring services.
## Incident Details
- **Discovery Date:** November 6, 2024
- **Incident Date:** Data theft began on November 5, 2024
- **Affected Organization:** Ahold Delhaize USA (owner of Food Lion, Giant Food, Hannaford, Stop & Shop)
- **Sector:** Retail/Grocery
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** November 5, 2024 (Date determined by investigation)
- **Vector:** Not explicitly detailed, but consistent with typical ransomware tactics targeting large enterprises. The specific initial vector is not specified in the summary.
- **Details:** Hackers began stealing data on this date.
### Lateral Movement
- **Details:** The attackers moved through the network sufficiently to access "internal employment records containing personal information." (Specific movement techniques are not detailed.)
### Data Exfiltration/Impact
- **Details:** The INC ransomware gang claimed to have stolen six terabytes of information.
- **Impact:** Stolen data included Social Security numbers, passport information, financial account details (bank numbers), health information, and other sensitive employment data for over 2.2 million people. Operational impact included customers being unable to place grocery delivery orders online and some brand websites going offline in November.
### Detection & Response
- **Detection:** November 6, 2024 (One day after data theft began).
- **Response:** Ahold Delhaize launched an investigation, filed documents with regulators (e.g., Maine), notified victims, and offered two years of credit monitoring services.
## Attack Methodology
- **Initial Access:** Not specified, but facilitated access to internal employment records.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Implied, necessary to access employment records.
- **Discovery:** Implied, necessary to locate internal employment records.
- **Lateral Movement:** Confirmed, as the breach involved access to internal databases/systems beyond the initial point.
- **Collection:** Stolen data categorized as internal employment records containing PII, financial, and health information.
- **Exfiltration:** Six terabytes of data were exfiltrated, claimed by the INC ransomware group in April 2025.
- **Impact:** Data theft and significant operational disruption (delivery system outage).
## Impact Assessment
- **Financial:** Not specified, though the incident caused operational disruptions.
- **Data Breach:** Data belonging to **2.2 million people** was stolen, including: Social Security numbers (SSNs), passport information, bank account numbers, health information, and employment data.
- **Operational:** Customers were unable to place grocery delivery orders online, and some supermarket websites were temporarily offline.
- **Reputational:** Significant negative publicity resulting from the disclosure of a major data breach involving multiple recognizable US supermarket brands.
## Indicators of Compromise
*Note: No specific technical IOCs (IPs, domains, hashes) were provided in the summary. The primary IOC is the threat actor.*
- **Network indicators:** None provided (defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Deployment of INC ransomware gang tools (implied).
## Response Actions
- **Containment measures:** Not explicitly detailed, but containment was achieved prior to the regulatory filing allowing the company to continue operations (though delivery systems were initially affected).
- **Eradication steps:** Not detailed.
- **Recovery actions:** Restoring online delivery functionality and notifying regulatory bodies and affected customers.
## Lessons Learned
- **Key takeaways:** Third-party vendor/service data or internal HR records are highly valuable targets susceptible to exfiltration during enterprise breaches. The gap between data theft commencement (Nov 5) and discovery (Nov 6) was minimal, suggesting rapid internal security operations, although the ultimate discovery period by the ransomware group claiming credit was months later (April 2025).
- **What could have been done better:** Secure management and segregation of highly sensitive employment data containing SSNs and health records.
## Recommendations
- Implement enhanced segmentation and access controls around systems containing high-value PII, SSNs, and health records, especially those associated with HR functions.
- Review and strengthen perimeter defenses to prevent initial access by ransomware operators.
- Conduct proactive threat hunting focused on data staging and exfiltration activities, even if traditional protection mechanisms are bypassed.