Ransomware Attack on Ahold Delhaize Exposes Data of Over 2.2 Million Individuals

A major ransomware attack against Ahold Delhaize, the parent company of several prominent US supermarket and pharmacy chains, has compromised the personal data of more than 2.2 million individuals.

Eduard Kovacs reports in Security Week that the breach, stemming from a 2024 cyberattack, was officially disclosed in June 2025. It exemplifies the growing cybersecurity threats faced by corporations with large consumer and employee databases.

The incident began in November 2024, when Ahold Delhaize companies, including Giant Food pharmacies, Hannaford, Food Lion, The Giant Company, and Stop & Shop, began experiencing network disruptions.

In April 2025, the Inc. Ransom group claimed responsibility for the breach. Ahold Delhaize soon confirmed that the hackers likely accessed and exfiltrated data from internal business systems.

Further investigation revealed that the compromised files included sensitive employment records of both current and former employees.

According to a filing with the Maine Attorney General’s Office, more than two million individuals have been impacted. The type of information exposed varies per person, but may include names, contact details, birth dates, Social Security numbers, passport and driver’s license numbers, bank account details, health information, and employment records.

Ahold Delhaize is notifying those affected and offering two years of complimentary credit monitoring and identity protection.

Lawyers advising companies with large employee or customer data sets should stress the implementation of rigorous cybersecurity frameworks and vendor oversight protocols.

In the aftermath of breaches, counsel should prepare for a pivotal role in navigating regulatory notifications, mitigating liability exposure, and managing damage to the client’s reputation. Companies must also be ready to address potential class-action lawsuits and ensure compliance with evolving state and federal data breach laws.