The largest supermarket in the Netherlands, Albert Heijn (Ahold), has been subject to a third-party data breach resulting in empty shelves at their stores. Their logistic partner suffered a ransomware attack, resulting in their systems being unable to use and unable to send trucks out on the road to resupply the stores.

To regain access to their systems, the logistic partner hired a specialist security company to repair their systems. It remains unclear whether a ransomware payment has been made. Albert Heijn’s partner regained access to their systems and is now working their way through the backlog caused by the outage. They expect to need at least a week until all the shelves are stocked again.

It remains to be seen if this will be the last time the food chain will be impacted by a hack. The National Cyber Security Center ( NCSC) of the Netherlands rates third parties as a top-four cause of data loss or disruption. This time the impact was limited, apart from some hurt Dutch sensibilities. Still, consequences could be much more significant if people wouldn’t be able to get food from the stores altogether.

How could this have been prevented?

For a supermarket chain as big as that of Albert Heijn you’d at least expect to have a redundant supply chain. Unfortunately, it looks like they were relying on a single logistics partner. With them unable to deliver, the shelves remained empty. For such critical parts of the supply chain, we recommend having secondary suppliers to cope with one supplier’s outage.

We recommend actively vetting and monitoring all your critical third parties. Ensure that they take all necessary actions to lower the chance as much as possible to prevent issues that could impact the services you deliver. This starts with simple security reviews. We hope that Albert Heijn takes this message to heart.