Whole Foods Market has reported a data breach at select foodservice establishments it operates within its stores.
The unauthorized access of payment card information occurred in taprooms and full table-service restaurants using a different POS system from those used at checkout in its grocery stores. Payment cards used at primary store-checkout systems weren't affected. Amazon.com transactions also have not been affected, as systems at the ecommerce company – and Whole Foods parent – don't connect with those at the grocer.
Austin, Texas-based Whole Foods has launched an investigation, obtained the help of a cybersecurity forensics firm, contacted law enforcement and begun taking appropriate measures to address the issue.
"The company’s investigation is ongoing, and it will provide additional updates as it learns more," Whole Foods said. "While most Whole Foods Market stores do not have these taprooms and restaurants, Whole Foods Market encourages its customers to closely monitor their payment card statements and report any unauthorized charges to the issuing bank."
The attack comes at a time when data breaches are at an all-time high: In 2016, nearly 1,000 cases were reported, the highest number since The Identity Theft Resource Center, in San Diego, began keeping records in 2005. Unfortunately, grocers are a hot place for data criminals, as they are the No. 1 channel for data breaches in terms of percentage of compromised accounts, according to Chicago-based fraud protection firm Rippleshot.
No Small Breach
Although the breach is on a smaller scale, those affected by it certainly won’t feel that way, noted Michael Fauscette, chief research officer at Chicago-based G2 Crowd, a software company that provides security applications, among other services.
And when news about a small-scale breach gets out, despite its actual size, many beyond those directly affected can become concerned and rethink their loyalty to a specific retailer. The mere fact of a breach of any extent – from this one to the one at Yahoo revealed in the midst of its acquisition by communications company Verizon, thus lowering the company’s purchase price by $350 million – demonstrates the importance of data security when it comes to business acquisitions, which Whole Foods recently went through with Amazon.
“In terms of security, startups have to perform at the same level as enterprise organizations much earlier in the game than they had to in the past,” noted Jim Fowler, CEO and founder of Owler, a San Mateo, Calif.-based crowd-sourced competitive intelligence platform provider. “Security is a vital aspect of a business if it wants to be acquired by a tech titan like Amazon, Microsoft or Google,” or if a grocer wishes to be snapped up by a larger company.
To respond effectively and appease affected and concerned patrons, Amazon and Whole Foods must ensure they’re effectively broadcasting a clearly defined message through multiple channels to build and retain consumer trust, Fowler recommended.
“Whole Foods is now a part of a much more visible company,” he said. “If they thought they were a target pre-acquisition, they now have 10 times the spotlight and are the weakest link in the bigger chain of Amazon businesses – people trying to enter the Amazon system will start by going after Whole Foods.”
Beyond that, Whole Foods and Amazon – as well as any other retailers that face such a breach – need to immediately examine their business relationship graph and put together a complete list of vendors and suppliers with which they are sharing security access, Fowler said. If a company is accessing a POS or inventory system, that creates back-door entrances for security breaches.
“It’s not just happenings within your own walls that your company needs to bear in mind – it’s also all their corporate connections, as well as identifying and understanding where threats lie,” he explained. “Equifax’s breach occurred due to the company’s failure to patch a known bug. Those types of loose ends can lead to damaging data breaches, even if your enterprise does everything else perfectly.”