Payment Card Data Stolen From Taprooms and Restaurants, Supermarket Chain Says
Upscale supermarket chain Whole Foods Market says it’s investigating an apparent payment card data breach that affects facilities located in some of its stores, although none of its checkout lanes.
See Also: How to Scale Your Vendor Risk Management Program
“Whole Foods Market recently received information regarding unauthorized access of payment card information used at certain venues such as taprooms and full table-service restaurants located within some stores,” the supermarket chain says in a Thursday statement.
“These venues use a different point-of-sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected,” the company adds.
Based in Austin, Texas, Whole Foods sports 449 stores in the United States, and is the ninth largest U.S. food retailer by sales volume. It has more than 87,000 employees, 13 stores in Canada and nine in the United Kingdom, and saw $15.7 billion in sales in 2016.
Whole Foods could not be immediately reached for comment about how many of its supermarkets have restaurants, but it reportedly has more than 40 taprooms, aka bar areas.
Whole Foods has not detailed how or when it learned of the breach, or if payment cards handled outside the United States might have been affected; the company could not be immediately reached for comment. But it says that when it learned of the breach, “the company launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue.”
In June, in a move that shocked the $800 billion supermarket industry, Amazon.com announced that it would be buying Whole Foods. The deal, finalized in August for $13.7 billion, now pits Amazon.com directly against such supermarket giants as Wal-Mart Stores, Kroger and Costco Wholesale.
Whole Foods says its breach does not affect any Amazon systems. “The Amazon.com systems do not connect to these systems at Whole Foods Market,” it says. “Transactions on Amazon.com have not been impacted.”
Payment Card Breach Epidemic Continues
The Whole Foods breach is merely the latest in a long line of hack attacks that have targeted organizations that collect payment card data, especially in the hospitality sector, including numerous hotels and restaurants (see Trump Hotels Suffers Another Payment Card Breach).
Just this week, for example, fast-food chain Sonic Drive-In said it was investigating an apparent payment card data breach affecting an unspecified number of its 3,500 franchises across the United States.
While some attacks target third-party POS service providers, the payment card data breach epidemic is being compounded by too many such organizations failing to prepare for breaches, segment their networks and ensure that POS devices do not have default settings, or put in place proper detection and response capabilities, according to Verizon’s 2017 Data Breach Investigations Report.
Apparent Network Segmentation
Security experts say that the apparent inability of Whole Foods’ hackers to jump from point-of-sale systems in its taprooms and restaurants to other systems running under the same roof – such as POS terminals in grocery checkout aisles and building climate controls – suggests that Whole Foods Market was running segmented networks.
Segmentation has long been highlighted by security experts as being a best practice, to help organizations limit the damage they face in the event that they get breached (see 5 Secrets to Security Success).
Alternately, however, the restaurant and taproom systems at Whole Foods may have been outsourced to a separate, third-party provider, and managed using entirely separate resources.
Whole Foods couldn’t be immediately reached for comment.