Massive data breach at Hannaford parent company affects over 95,000 Mainers

More than 95,000 Maine residents are among the 2.2 million people nationwide impacted by a major data breach involving Ahold Delhaize USA, the parent company of Hannaford Supermarkets and several other grocery chains.

The breach occurred on November 5, 2024, and was detected the following day. A new filing with the Maine Attorney General’s Office reveals the full scale of the incident, which Ahold Delhaize has now confirmed involved the unauthorized extraction of files from one of its internal U.S. file repositories by an external actor.

According to a company spokesperson, the compromised data includes a range of sensitive personal information. The exposed files may contain names, contact details, dates of birth, government-issued ID numbers (including Social Security and driver’s license numbers), financial account information, employment records, and certain health or workers’ compensation details. The specific data affected varies by individual.

While Ahold Delhaize stated that customer payment systems and pharmacy records were not compromised, the company acknowledged that both current and former employees — as well as some customers — were among those whose information was accessed.

In response, Ahold Delhaize is offering 24 months of free credit monitoring and identity protection services through Experian to those affected. The company is also urging impacted individuals to review their account statements regularly and monitor their credit reports for suspicious activity.

“We understand the importance of cybersecurity and are committed to protecting the information of our customers, associates, and vendor partners,” the company said in a statement. “We continue to take actions to further safeguard our systems.”

At the time of the breach, Hannaford’s website, mobile app, and "To Go" online ordering system were taken offline for approximately a week, although physical stores remained open. The company had initially referred to the incident as a “cybersecurity issue” and provided limited details about the scale of the attack.