[BreachExchange] Whole Foods Market Investigates Hack Attack

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 29 13:56:36 EDT 2017


https://www.databreachtoday.com/whole-foods-market-
investigates-hack-attack-a-10346

Upscale supermarket chain Whole Foods Market says it's investigating an
apparent payment card data breach that affects facilities located in some
of its stores, although none of its checkout lanes.

"Whole Foods Market recently received information regarding unauthorized
access of payment card information used at certain venues such as taprooms
and full table-service restaurants located within some stores," the
supermarket chain says in a Thursday statement. "These venues use a
different point-of-sale system than the company's primary store checkout
systems, and payment cards used at the primary store checkout systems were
not affected."

Based in Austin, Texas, Whole Foods has 449 stores in the United States,
making it the ninth largest U.S. food retailer by sales volume. It has more
than 87,000 employees, 13 stores in Canada and nine in the United Kingdom,
and had $15.7 billion in sales in 2016.

Whole Foods could not be immediately reached for comment about how many of
its supermarkets have restaurants, but it reportedly has more than 40
taprooms, or bar areas.

Whole Foods has not described how or when it learned of the breach, or if
payment cards handled outside the United States might have been affected.
But it says in it statement that when it learned of the breach, "the
company launched an investigation, obtained the help of a leading
cybersecurity forensics firm, contacted law enforcement and is taking
appropriate measures to address the issue."

Amazon.com Subsidiary

In June, in a move that shocked the $800 billion supermarket industry,
Amazon.com announced that it would be buying Whole Foods. The deal,
finalized in August for $13.7 billion, now pits Amazon.com directly against
such supermarket giants as Wal-Mart Stores, Kroger and Costco Wholesale.

Whole Foods says its breach does not affect any Amazon systems. "The
Amazon.com systems do not connect to these systems at Whole Foods Market,"
it says. "Transactions on Amazon.com have not been impacted."

Payment Card Breach Epidemic Continues

The Whole Foods breach is the latest in a long line of hack attacks that
have targeted organizations that collect payment card data, especially
including numerous hotels and restaurants (see Trump Hotels Suffers Another
Payment Card Breach).

Just this week, for example, fast-food chain Sonic Drive-In said it was
investigating an apparent payment card data breach affecting an unspecified
number of its 3,500 franchises across the United States.

While some attacks target third-party POS service providers, the payment
card data breach epidemic is being compounded by too many organizations
failing to prepare for breaches by segmenting their networks, ensuring that
POS devices do not have default settings, or putting in place proper
detection and response capabilities, according to Verizon's 2017 Data
Breach Investigations Report.

Apparent Network Segmentation

Security experts say that the apparent inability of Whole Foods' hackers to
jump from point-of-sale systems in its taprooms and restaurants to other
systems running under the same roof - such as POS terminals in grocery
checkout aisles and building climate controls - suggests that Whole Foods
Market was running segmented networks.

Segmentation has long been highlighted by security experts as being a best
practice to help organizations limit the damage they face in the event that
they get breached (see 5 Secrets to Security Success).

But the restaurant and taproom systems at Whole Foods may have been
outsourced to a separate, third-party provider and managed using entirely
separate resources.

Whole Foods couldn't be immediately reached for comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170929/0c110475/attachment.html>


More information about the BreachExchange mailing list