Ahold Delhaize USA has confirmed that personal, financial, and health information belonging to over 2.2 million individuals was compromised during a cybersecurity breach in November last year.
Details of the breach were formally disclosed in a filing with the Maine Attorney General’s office on 26 June 2025. The incident, attributed to an external system intrusion, is now known to have affected exactly 2,242,521 individuals, including 95,463 residents of Maine.
The breach happened on 5 November and was discovered the following day. While Ahold Delhaize acknowledged the attack at the time, this latest filing unveils the scale and sensitivity of the data accessed. The stolen information includes combinations of personal identifiers with Social Security numbers, financial account details, employment records, and health-related data.
The incident impacted several of Ahold Delhaize USA’s brands and services, including pharmacy systems and some e-commerce operations. Despite the disruption, all brand stores remained open and operational.
In a public statement issued from the company’s headquarters in the Netherlands on November 8, 2024, Ahold Delhaize said it had “detected a cybersecurity issue within its U.S. network” and took immediate steps to investigate, involving external cybersecurity experts and law enforcement. Some systems were taken offline to contain the breach.
“We will continue to take actions to further protect our systems. The security of our customers, associates and partners is a top priority,” the company said at the time, adding that efforts to assess and mitigate the breach were ongoing.
The multinational retail group, one of the world’s largest, operating more than 9,400 stores under brands like Food Lion, Giant Food, Stop & Shop, and Hannaford, has not publicly confirmed whether customer data was among the stolen files. However, it has indicated that information belonging to current and former employees of Ahold Delhaize USA companies was involved.
The company has offered affected individuals 24 months of complimentary credit monitoring and identity protection services through Experian.
Although Ahold Delhaize has not officially attributed the attack to a specific threat actor, the INC Ransom group claimed responsibility in April 2025 by listing the retailer on its dark web leak site and publishing sample documents allegedly exfiltrated during the breach.
The scale and character of the breach make it one of the most significant retail breaches of the year, a reminder of the persistent threat to big companies that operate complex IT and supply chains in international markets.
And it’s not just US retailers that have been in the crosshairs of cybercrooks. Over the past few months, several high-profile UK retailers, including Harrods, The Co-op, and Marks & Spencer, have also been targeted, which places even more pressure on the retail sector to strengthen its defenses against increasingly sophisticated attacks.
Over the past few months, several high-profile UK retailers have also been in the crosshairs of cybercrooks. Harrods, The Co-op, and Marks & Spencer, are only three of the high-profile retailers that have been targeted, which places even more pressure on the retail sector to strengthen its defenses against increasingly sophisticated attacks.
Boris Cipot, senior security engineer at Black Duck, comments: “Affected users should be vigilant for signs of identity theft and phishing attempts. The stolen information can be used for social engineering attacks, as attackers can pose as legitimate representatives of financial institutions, healthcare providers, or government agencies.”
He says to mitigate potential harm, users should notify relevant institutions about the breach, such as their bank, healthcare provider, employer, or government agencies like the Social Security Administration. “These institutions can provide guidance on next steps to protect against further exposure, monitor credit status, and prevent identity theft.”
“The scariest thing in my mind is that we have now arrived at a very common kinetic effect, e.g. real-world physical issues, because of cyber threats,” adds Lawrence Pingree, VP of Dispersive. “These types of data systems need strong multi-factor authentication, stealth networks to hide and make private the data during transmission and segmentation of users to limit potential lateral movement.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.