Dutch parent company of Hannaford and Stop & Shop confirms data stolen in cyberattack

The Dutch conglomerate behind several major U.S. supermarket brands confirmed on Thursday that data was stolen from its systems during a cyberattack last fall. 

Ahold Delhaize USA said an investigation has revealed that hackers stole files from “internal U.S. business systems in connection with the prior cybersecurity issue.”

The parent company of Stop & Shop, Hannaford, Food Lion, and Giant Food, Ahold Delhaize USA has more than 2,000 stores across the country. In November, shoppers across the country were unable to place grocery delivery orders online and websites for some of the supermarket brands were offline.

The INC ransomware gang took credit on Wednesday for the cyberattack, claiming to have stolen six terabytes of information. 

Ahold Delhaize USA would not comment on the claims made by the group but shared a statement with Recorded Future News resembling the one published on its website. 

A spokesperson said the company’s teams “have been working diligently to determine what information may have been affected” but noted the business impact of the attack “was mitigated by our cyber-defense capabilities and response protocols.”

“The investigation remains ongoing, with the assistance of external cybersecurity experts,” they  said. “If we determine that personal data was impacted, we will notify affected individuals as appropriate. In addition, we have notified and updated law enforcement.”

Ahold Delhaize is one of the world’s largest food retail groups, reporting net sales in 2023 of more than $24 billion. 

According to researchers at the cybersecurity firm SentinelOne, the INC ransomware group emerged in July 2023.

The gang has persistently targeted European governments and large companies over the last two years. Google threat researchers said in March 2024 they saw a cybercriminal associated with the gang seeking "illicit access to Dutch and French medical, government and educational organizations.”

Threat actors connected to the gang have also attacked the State Bar of Texas, a prominent healthcare system in Michigan, Yamaha Motor and printer manufacturer Xerox.

The group was responsible for hacking into Hungary's defense procurement agency in November 2024. Secureworks tracked 72 victims on the INC ransomware leak site from August 2023 through March 2024.

Cybersecurity experts at Palo Alto Networks and Group-IB previously said another ransomware gang, known as Lynx, is either a rebrand of INC or purchased the group’s source code and recently attacked Romania's largest electricity provider.