Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024. The company shared an update on Thursday, revealing that hackers managed to extract files from internal business systems connected to the earlier security breach.
“Based on our investigation to date, we believe certain files were taken from some of our internal U.S. business systems in connection with the prior cybersecurity issue,” read the company’s statement.
Ahold Delhaize USA operates over 2,000 grocery stores across the country, including major names like Stop & Shop, Food Lion, Giant Food, and Hannaford. In November 2024, the company reported disruptions that impacted online grocery ordering and caused temporary website outages for some of its supermarket chains.
The company acted quickly at that time to restore its operations. “Our teams have been working diligently to determine what information may have been affected,” the company stated in its latest update.
Ongoing Investigation of Ahold Delhaize USA Reveals Data Theft
The Ahold Delhaize cyberattack has now been linked to the theft of certain files from internal U.S. business systems. While Ahold Delhaize USA did not detail exactly what kind of data was taken, it has assured that its teams are working hard to determine what information may have been affected.
“We will notify affected individuals in accordance with our legal obligations,” the company said. Law enforcement agencies have also been informed and updated about the development.
The company emphasized that protecting the information of its customers, employees, and vendors remains a top priority.
INC Ransom Gang Takes Responsibility
The INC Ransom gang has come forward, claiming responsibility for the cyberattack on Ahold Delhaize. In a post made earlier this week, the cybercriminal group claimed it stole six terabytes of data from Ahold Delhaize USA.
As of this writing, The Cyber Express has reached out to Ahold Delhaize for further clarification regarding this claim, but the company has not responded.
Who is INC Ransom?
According to cybersecurity researchers at Cyble, INC Ransom (also known by the alias GOLD IONIC) is a highly active ransomware and extortion group. The group has been operating since at least July 2023 and has targeted a broad spectrum of industries worldwide, including healthcare, education, government, and now retail.
INC Ransom is known for its advanced attack methods, often using multiple tools and malware families to infiltrate systems and steal data. These include:
- AdFind – A tool used to gather information from Active Directory environments
- PsExec – A command-line tool used to execute processes on remote systems
- Rclone – A command-line program used to manage files on cloud storage platforms
The group’s reach is global, with confirmed attacks in countries such as the United States, the United Kingdom, Australia, France, Germany, Italy, the Philippines, and many more.
A Series of Global Cyberattacks
The Ahold Delhaize USA cyberattack is not the first major attack claimed by INC Ransom. In June 2024, the group was allegedly behind a cyberattack on ControlNET LLC, a U.S.-based provider of building technology solutions.
ControlNET specializes in HVAC, lighting, video surveillance, access control, and power systems. In that case, the ransomware group not only claimed to have gained access to the company’s network but also released sensitive information to back their claims. The leaked data included:
- Invoice records
- Building floor plans
- Internal email communications
- Sample project folders involving ControlNET’s clients
INC Ransom also claimed to have targeted Rockford Public Schools as part of the same attack vector, suggesting a potential supply chain risk.
Why This Matters
Cyberattacks like these are a growing concern for companies and consumers alike. For organizations such as Ahold Delhaize USA, which rely on technology to manage inventory, process payments, and offer online services, even a short disruption can cause significant operational and financial harm.
When customer or employee data is involved, the risks extend far beyond temporary inconvenience. Leaked data can include sensitive personal information that could be used in phishing scams, identity theft, or even targeted attacks on individuals and other companies.
The fact that INC Ransom claims to have stolen six terabytes of data is alarming. While Ahold Delhaize USA has not confirmed the volume or nature of the stolen information, such a large quantity could potentially include anything from employee records and vendor contracts to internal communications and system configurations.
What Consumers Should Do
If you shop at Stop & Shop, Hannaford, Food Lion, or Giant Food, keep an eye out for communications from the company. If your data was involved, you should receive an official notice with next steps.
In the meantime, customers are advised to:
- Monitor their email and bank accounts for unusual activity
- Be cautious of phishing attempts pretending to be from Ahold Delhaize or its supermarket brands
- Change passwords for online accounts related to grocery shopping, especially if the same password is used elsewhere
As ransomware groups like INC Ransom continue to adapt and strike globally, companies must prioritize cybersecurity at every level—from their internal systems to vendor relationships and beyond.
