Cyber Incident Victim: Whole Foods Market

On September 28, 2017, Whole Foods Market, recently acquired by Amazon.com Inc. for $13.7 billion, disclosed a cybersecurity incident involving unauthorized access to payment card information at specific venues within some of its stores. The breach affected taprooms, restaurants, and other food service establishments operating inside select Whole Foods locations, where attackers compromised point-of-sale systems. The company clarified that its primary grocery store point-of-sale infrastructure—used across approximately 450 U.S. stores—remained unaffected by the intrusion. Whole Foods further confirmed that neither Amazon.com’s systems nor Amazon.com transactions were connected to or impacted by the breach, maintaining separation between the parent company’s infrastructure and the compromised venues. While over 40 Whole Foods locations were known to feature taprooms serving beer, the company did not immediately specify the total number of in-store restaurants affected or the timeframe during which the breach occurred.

Whole Foods initiated a multi-faceted response upon discovering the incident, including launching an internal investigation and engaging a leading cybersecurity forensics firm to analyze the breach. The company notified law enforcement agencies but did not disclose specific details about the forensic findings, attacker methodologies, or the exact number of compromised payment cards. Remediation efforts focused on implementing "appropriate measures" to secure the affected point-of-sale systems, though technical specifics were not publicly elaborated. The disclosure emphasized the localized nature of the breach, confined to ancillary food service venues rather than core grocery operations, and reaffirmed the operational independence of Amazon’s systems from Whole Foods’ compromised segments. No additional information regarding customer notifications, financial penalties, or long-term operational impacts was provided in the initial announcement.