Confidential information of Ahold Delhaize found on the dark web

INC Ransom, the hacking group responsible for the ransomware attack on Ahold Delhaize in November 2024, claims it has stolen 6 terabytes of confidential and sensitive information and published a portion of it on the dark web.

At this stage, it remains unclear what kind of data was stolen. On a popular forum for cybercriminals on the dark web, the threat actor has published some documents.

Among other things, a confidentiality agreement for someone visiting an Ahold Delhaize location and copies of ID cards have been posted online. According to EncryptoGuard, over 12,000 IDs and passports have been stolen.

Peter Lahousse, cybercrime trendwatcher and founder of Cybercrimeinfo.nl, was the first to notice the publication of corporate documents on the dark web and reported this to Dutch news outlet BNR Nieuws.

The food retail wholesaler has confirmed the security incident. However, according to the company, the data breach concerns an old leak that was discovered on November 8, 2024, which the company reported to the authorities at the time.

“We apologize for any inconvenience this issue may have caused our customers and partners,” an Ahold Delhaize spokesperson said in a statement to Dutch news outlet Algemeen Dagblad. Because the investigation is still ongoing, the company doesn’t want to share more details on the incident.

INC Ransom has claimed responsibility for the breach and threatens to unveil the stolen information. Whether the ransomware operation has made any demands or the hackers have recently contacted the company remains unclear.

INC Ransom has been active since July 2023 and has affected numerous organizations around the world, including a children’s hospital in the United Kingdom. According to Lahousse, what makes this group particularly dangerous is their use of advanced techniques and tools to penetrate networks, steal data, and encrypt systems. That’s how they bypass security measures and stay under the radar.

The ransomware operation uses an extortion method called ‘double extortion,’ meaning they not only exfiltrate and encrypt confidential data, but also threaten to make this information public if the victim refuses to pay.

According to Piet Kerkhofs, Chief Technology Officer (CTO) and founder of Eye Security, a Dutch cybersecurity firm, Ahold Delhaize most likely refused to pay INC Ransom’s ransom demand, and the ransomware group therefore decided to leak a portion of the exfiltrated data.

Royal Ahold Delhaize serves 72 million customers every week in the United States, Europe, and Indonesia. In the Netherlands, Ahold Delhaize owns brands like Albert Heijn, Etos, Gall & Gall, and Bol. In the United States, Ahold Delhaize has supermarket chains such as Food Lion, Stop & Shop, and Hannaford, which were also impacted by the same security incident in November last year.