The breach that hit Delaware North — the privately held hospitality and gaming conglomerate that runs concessions at stadiums, airports, national parks, and casinos across North America — did not require an exotic zero-day or a nation-state crew. It required one thing that happens thousands of times a day across corporate America: an attacker getting into a single employee’s Microsoft account. From that one foothold, the intruder walked off with files containing the kind of government-identity data that fuels years of fraud.

According to breach notifications, Delaware North identified suspicious activity in the employee’s Microsoft account on January 28, 2026 — and subsequently determined the unauthorized actor had already stolen copies of certain files the day before, on January 27. The theft, in other words, was complete before the alarm even sounded. That one-day gap between exfiltration and detection is the whole ballgame in modern intrusions: by the time anyone notices, the data is gone.

What was taken, and when victims learned

A forensic review took months. It was not until May 28, 2026 that Delaware North determined the exfiltrated files may have contained names, driver’s license numbers, and state-issued identification numbers. A separate report submitted to the Texas Attorney General’s Office indicates that Social Security numbers may also have been exposed.

That combination — name, driver’s license, state ID, and potentially SSN — is precisely the dossier an identity thief wants. Unlike a password, you cannot rotate your driver’s license number or your Social Security number. Once it is in a criminal database, it is there permanently, available to open fraudulent accounts, file bogus tax returns, or pass identity-verification checks for years to come.

Delaware North began mailing notification letters on June 5, 2026, more than four months after the intrusion and roughly a week after confirming what the files contained.

The New Hampshire numbers

The breach is national in scope, but it surfaced in state-level disclosures. In New Hampshire, where companies must report breaches to the Attorney General, the filing showed 1,133 residents affected. Maine counted 132. Nationwide, more than 10,000 people were caught up in the incident, with additional victims reported in states including South Carolina and Texas.

Those are modest numbers next to the mega-breaches that dominate headlines — but the per-person harm is identical. A leaked driver’s license number does the same damage whether it sits in a file of 10,000 or 10 million. State breach-notification laws exist precisely so that smaller, quieter incidents like this one cannot pass unnoticed.

The credit-monitoring playbook — and its limits

Delaware North is offering affected individuals one year of complimentary credit monitoring and identity-theft protection through Kroll, including triple-bureau credit monitoring and unlimited fraud consultation with a Kroll specialist. It is the standard post-breach response, and it is genuinely useful — but it comes with a built-in mismatch the industry rarely acknowledges: the monitoring lasts one year, while a stolen Social Security or driver’s license number is dangerous for life. Criminals know this, and patient fraudsters routinely sit on stolen identity data until the free monitoring lapses.

Attorneys are already circling. At least one firm has publicly announced an investigation into potential class-action claims on behalf of those affected — the now-routine legal aftershock that follows breaches of identity-grade data, and part of the broader trend we’ve documented toward aggressive breach litigation even where immediate harm is hard to prove.

The lesson sitting in every inbox

Strip the Delaware North incident to its core and it is a story about one account. No firewall was bypassed at scale, no supply chain was poisoned — an attacker got into a single Microsoft 365 mailbox and that was sufficient to reach files full of customer identity data. It is the most common breach pattern there is, and the controls that stop it are equally well known:

  • Phishing-resistant multi-factor authentication on every account, so a stolen password alone is not enough.
  • Least-privilege access, so that a single compromised employee account cannot reach a trove of government-ID records it never needed.
  • Data minimization and retention limits, so the files an attacker can grab are smaller and shorter-lived.
  • Faster detection, to close the gap between exfiltration on January 27 and discovery on January 28 — because in this case, that gap was already too late.

For the thousands now reading a letter from Delaware North, the practical advice is the same as after any identity breach: place a credit freeze (free, and far more durable than a year of monitoring), watch for fraudulent accounts and tax filings, and treat the exposure as permanent rather than a one-year problem. The company’s account was breached for a day. The victims will be managing the fallout for far longer.

Sources