The cyberattack that struck Ahold Delhaize USA in late 2024 potentially exposed sensitive information belonging to more than 2 million people, the grocery company disclosed last week.
Data that might have been compromised includes birthdays, Social Security numbers, bank account details, health records and workers’ compensation information, Ahold Delhaize USA said in an update posted on Thursday. The breach affected people including current and former employees as well as their dependents and beneficiaries, according to the company.
Ahold Delhaize USA said in an FAQ about the breach that it does not believe that the attack impacted customer payment or pharmacy systems.
According to a form Ahold Delhaize USA filed with the attorney general of Maine, where the company operates supermarkets under its Hannaford banner, the cyberattack impacted about 2.2 million people, including nearly 100,000 who reside in that state.
Ahold Delhaize USA notified people whose information may have been exposed about the breach in a letter dated last Thursday, noting that intruders gained access to one of its databases on Nov. 5 and 6.
The company did not propose a remedy to people who might have been affected by the attack beyond offering two years of credit monitoring and identity protection services.
“We take this issue extremely seriously and will continue to take actions to further protect our systems,” Ahold Delhaize USA said in the letter.
Ahold Delhaize USA’s parent company revealed on Nov. 8 that its systems had been compromised and said in April that the attackers had gained access to sensitive information connected with people in the Netherlands, where it is based. The attack also forced the grocer to temporarily take some of its systems offline, temporarily halting Hannaford’s e-commerce services and causing outages on websites operated by the company’s other U.S. banners, which include The Giant Company, Giant Food, Food Lion and Stop & Shop.
A threat group known as Inc Ransom claimed responsibility for the cyberattack.
Ahold Delhaize USA’s disclosure that the attack resulted in the exposure of people's personal information follows a cyberattack earlier this month that forced grocer distributor United Natural Foods, Inc. to take down some of its online systems and disrupted its ability to make deliveries to retailers. UNFI said last week that it had contained the attack and restarted its electronic ordering and invoicing operations.
