Point-of-sale data breach bad for Whole Foods' health

News by Bradley Barth

Whole Foods Market, disclosed on Thursday that its has suffered a point-of-sale data breach that compromised the payment card information of customers who used its taprooms and full table-service restaurants.

The actual grocery store checkout systems were not impacted, however, as they run on a separate POS system than those affected. Likewise, Amazon.com's systems were not in any way impacted. In August, Amazon purchased the food retailer in a US$ 13.7 billion deal.

Michael Daly, CTO of Raytheon's cybersecurity business, said that having separate POS systems for Whole Food's grocery checkout and food-service venues prevented a much bigger headache. "In a contested environment like this, segmenting the networks, like WholeFoods did with its unique restaurant and taproom environment, saves other parts of the business from also being breached," Daly said in e-mailed comments. "Whether the segmented approach was happenstance or not, there is a lesson to be taken from today's breach.”

In a company news statement, Whole Foods said it has "launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue."


Andrew Clarke, EMEA director at One Identity adds in an email to SC: "We are reading about the modern-day version of the bank raid – the challenge that presents itself is that on this occasion is by the time the organisation knows it has happened the criminals are long gone.   Depending on the nature of the attack, even the fact that data has been stolen is often undetected for months.  By that time, the victims extend well beyond the organisation itself, with personal credit card data being a desired target for the criminal."  

“So much of our data seems to be leaking onto the internet that another load won't make a lot of difference, right? Wrong,” says Mark James- security specialist at ESET, adding that: “Every single piece of our data that makes its way onto a criminals list or into a database, of our most precious, private data, is another attack vector for a malicious actor. Cancelling our credit cards is not hard- usually if we have not been completely negligent, then getting the funds refunded is also not difficult- but trying not to get scammed, or be a victim of a phishing attack is not so easy!

Even though Whole Foods (WF) may not in themselves ring bells, when the email arrives their association with Amazon may be the big draw here. It's quite probable we will see phishing attacks using both brand names trying to get you to follow the link or download something to “verify” your details. As with all cases like this, be very vigilant about keeping an eye on your finances- small transactions might just be criminals testing the card to see if it works. If you find anything out of the ordinary then contact your bank immediately." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews