In November 2024, the notorious double-extortion ransomware gang, INC Ransom, successfully infiltrated the network of the multinational food retailer Ahold Delhaize, stealing sensitive personal information from over 2.2 million customers. This cyberattack, which targeted the retailer’s servers, compromised a wide array of customer data, including contact information, names, dates of birth, government-issued IDs (such as Social Security numbers, passports, and driver’s licenses), health records, and employee information.
Ahold Delhaize, which operates across Europe, the United States, Indonesia, and Australia, officially disclosed the breach in a filing with the U.S. Securities and Exchange Commission (SEC), acknowledging that the data breach had caused significant disruption. The attack also impacted a number of their e-commerce platforms, highlighting the vulnerabilities of large, interconnected systems.
In a disturbing twist, the criminal gang, INC Ransom, resorted to the dark web to leak portions of the stolen data after Ahold Delhaize refused to comply with their ransom demands. This leaked data was later put up for sale in April 2025, further exacerbating the company’s already significant breach of customer trust and security
A Rising Threat: INC Ransom and ‘Vanilla Tempest’
INC Ransomware has been known for its aggressive tactics, including a method known as “double extortion,” where attackers not only encrypt data but also threaten to release sensitive information unless the victim pays a ransom. In a worrying development, Microsoft tracked and identified a subsidiary of the INC Ransom gang in July 2024, naming it “Vanilla Tempest.” This subgroup was specifically assigned the task of targeting healthcare networks within the United States, indicating that the scope of INC Ransom’s operations extends beyond retail and into critical sectors like healthcare.
This development underscores the growing sophistication and reach of cybercriminal organizations. As they continue to expand their operations, more industries and organizations are likely to face similar threats, particularly in the wake of Ahold Delhaize’s breach.
Ahold Delhaize’s Response: Sticking to its Guns
Despite the high pressure to pay the ransom, Ahold Delhaize refused to give in to the demands of the cybercriminals. Instead, the company chose to rely on its robust data continuity and backup systems to recover from the attack. This decision is consistent with best practices for handling such incidents, as paying the ransom does not guarantee that the attackers will return the stolen data or provide a working decryption key.
Moreover, Ahold Delhaize’s approach signals a commitment to not rewarding cybercriminals, which could inadvertently fuel further attacks on the organization and others in the industry. By recovering from its own backups, the company was able to avoid creating a dangerous precedent of paying for data, which could encourage more aggressive tactics from ransomware groups.
The decision also highlights a growing recognition in the cybersecurity community that paying the ransom is not a viable long-term solution. Victims of ransomware attacks often find themselves in a vicious cycle, with no assurance that attackers will honor their part of the deal. Instead, maintaining up-to-date backups and a well-structured disaster recovery plan is proving to be the most effective defense against these ever-evolving cyber threats.
Looking Ahead: The Need for Stronger Cybersecurity Measures
The Ahold Delhaize attack serves as a stark reminder of the critical importance of cybersecurity, especially for large organizations with vast amounts of sensitive data. As cybercriminals become more organized and sophisticated, businesses must remain vigilant, continually evolving their security protocols to stay one step ahead of these digital threats. Additionally, employees must be educated about the risks of phishing, malware, and other common attack vectors, as human error is often a weak link in the security chain.
With the rise of ransomware groups like INC Ransom, it’s clear that cybercrime is a growing concern for companies worldwide. The need for comprehensive, proactive cybersecurity measures has never been greater.
Join our LinkedIn group Information Security Community!
