More than 95,000 Mainers and about 2.2 million people overall were affected by a cyber security breach last November that compromised personal information of some current and former Hannaford employees and customers.
Ahold Delhaize USA, Hannaford’s Dutch-based parent company, provided basic details about the breach in a notification filed Thursday with the Maine Office of the Attorney General. The company is also notifying people who were affected by the breach so they can take steps to protect their information.
The notice doesn’t say how many of the affected individuals were employees or customers, but a spokesperson for Ahold Delhaize said the vast majority were former or current employees.
The data breach affected 95,453 Maine residents, making it one of the most wide-reaching cyber incidents reported to the state in the last year, according to data provided by the attorney general’s office.
The company’s internal investigation found no indication that customer payment or pharmacy systems were compromised in the breach and no customer credit card numbers were contained in the affected files, the spokesperson said.
The notice to the attorney general’s office describes the incident as an “external system breach (hacking)” and says it occurred Nov. 5 and was discovered Nov. 6. Ahold Delhaize posted a statement on its website Nov. 8 saying that it was investigating the incident with cybersecurity experts and had notified law enforcement.
The cyber attack crashed Hannaford’s website for several days, making it impossible to purchase to-go grocery orders online or use credit cards at the chain’s 68 stores in Maine. Hannaford employs about 9,500 workers in Maine, with a total of 30,000 employees across 189 stores in Maine, New Hampshire, Vermont, Massachusetts and New York.
An international criminal ransomware gang took credit for the breach via social media in April, but Ahold Delhaize declined to comment at the time.
However, in a statement this week, the company said its investigation found that “an unauthorized third party obtained certain files from one of (our) internal U.S. file repositories between November 5 and 6, 2024.”
The captured information varied from one individual to another, but the data files included names, home and email addresses, and birth dates; telephone, Social Security, passport and driver’s license numbers; checking, banking and investment account numbers; health insurance, workers’ compensation and other medical information contained in employment records, according to the company’s statement.
The company’s notice to the attorney general was filed by Adam Solomon, a New York attorney who is a partner in the international law firm Hunton Andrews Kurth. He declined to be interviewed for this story.
The notice included a sample of the letter that Ahold Delhaize is sending to individuals affected by the breach.
“We are writing to notify you of a cybersecurity issue that may have affected your personal information contained in employment records related to you or your family member,” the letter opens. “We take the safeguarding of personal information very seriously and are providing this notice to explain what happened and the actions we took in response.”
A 2023 Harvard Pilgrim Health Care ransomware attack affected 210,354 Maine residents, as of the latest update filed in October 2024. A breach reported by RiteAid last July affected about 30,000 Mainers, according to state records.
One of the largest food retailers in the world, Ahold Delhaize operates several U.S. chains with more than 2,000 stores across the country, including Stop & Shop, Food Lion and Giant Food.
The company is directly notifying affected individuals whose contact information was identified in its investigation to make them aware of the breach and offer assistance in dealing with it.
“We are informing you about this issue so you can take steps to help protect yourself,” the letter states. “We have arranged to offer complimentary credit monitoring and identity protection services to you for two years.”
The letter also notes that U.S. residents are entitled under federal law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order a free credit report, visit www.annualcreditreport.com or call 877-322-8228.
The letter includes a four-page reference guide with additional information on ways to further protect personal information.
“We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports,” the letter concludes. “We regret any inconvenience this issue may cause you.”
For additional information, affected individuals may call Ahold Delhaize at 833-931-3792 on weekdays from 9 a.m. to 9 p.m. Eastern time, excluding major U.S. holidays. More information also is available at adusaservices.com.
Comments are not available on this story. about why we allow commenting on some stories and not on others.
