Breach Notification , Data Breach

Whole Foods Market Investigates Hack Attack

Payment Card Data Stolen From Taprooms and Restaurants, Supermarket Chain Says
Whole Foods Market Investigates Hack Attack
A shopper at Whole Foods Market. (Photo: Whole Foods Market)

Upscale supermarket chain Whole Foods Market says it's investigating an apparent payment card data breach that affects facilities located in some of its stores, although none of its checkout lanes.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

"Whole Foods Market recently received information regarding unauthorized access of payment card information used at certain venues such as taprooms and full table-service restaurants located within some stores," the supermarket chain says in a Thursday statement. "These venues use a different point-of-sale system than the company's primary store checkout systems, and payment cards used at the primary store checkout systems were not affected."

Based in Austin, Texas, Whole Foods has 449 stores in the United States, making it the ninth largest U.S. food retailer by sales volume. It has more than 87,000 employees, 13 stores in Canada and nine in the United Kingdom, and had $15.7 billion in sales in 2016.

Whole Foods could not be immediately reached for comment about how many of its supermarkets have restaurants, but it reportedly has more than 40 taprooms, or bar areas.

The Parlor, a restaurant and taproom located at the Whole Foods Market in Savannah, Georgia. (Photo: Whole Foods Market)

Whole Foods has not described how or when it learned of the breach, or if payment cards handled outside the United States might have been affected. But it says in it statement that when it learned of the breach, "the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement and is taking appropriate measures to address the issue."

Amazon.com Subsidiary

In June, in a move that shocked the $800 billion supermarket industry, Amazon.com announced that it would be buying Whole Foods. The deal, finalized in August for $13.7 billion, now pits Amazon.com directly against such supermarket giants as Wal-Mart Stores, Kroger and Costco Wholesale.

Whole Foods says its breach does not affect any Amazon systems. "The Amazon.com systems do not connect to these systems at Whole Foods Market," it says. "Transactions on Amazon.com have not been impacted."

Whole Foods Market store in Sacramento, California. (Photo: Whole Foods Market)

Payment Card Breach Epidemic Continues

The Whole Foods breach is the latest in a long line of hack attacks that have targeted organizations that collect payment card data, especially including numerous hotels and restaurants (see Trump Hotels Suffers Another Payment Card Breach).

Just this week, for example, fast-food chain Sonic Drive-In said it was investigating an apparent payment card data breach affecting an unspecified number of its 3,500 franchises across the United States.

While some attacks target third-party POS service providers, the payment card data breach epidemic is being compounded by too many organizations failing to prepare for breaches by segmenting their networks, ensuring that POS devices do not have default settings, or putting in place proper detection and response capabilities, according to Verizon's 2017 Data Breach Investigations Report.

Apparent Network Segmentation

Security experts say that the apparent inability of Whole Foods' hackers to jump from point-of-sale systems in its taprooms and restaurants to other systems running under the same roof - such as POS terminals in grocery checkout aisles and building climate controls - suggests that Whole Foods Market was running segmented networks.

Segmentation has long been highlighted by security experts as being a best practice to help organizations limit the damage they face in the event that they get breached (see 5 Secrets to Security Success).

But the restaurant and taproom systems at Whole Foods may have been outsourced to a separate, third-party provider and managed using entirely separate resources.

Whole Foods couldn't be immediately reached for comment.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network