Whole Foods Customers Hit by Hackers

Rachel Morey
October 3, 2017
Whole Foods Cyber Attack

Thursday, September 21, 2017, was a tough day for Whole Foods. Hackers stole payment information from their customers at undisclosed locations’ restaurants and taprooms. Only 10% of all Whole Foods stores have beer on tap, and the company isn’t disclosing exactly how many restaurants it has at this point.

The good news for many Whole Foods shoppers is that the main payment systems the stores use in traditional checkout lines are safe. The compromised information involves transactions at the chain’s table-service restaurants and taprooms, only.

Amazon customers who know about the Internet sales giant’s recent $13.5-billion purchase of Whole Foods in August of 2017 don’t have anything to worry about in relation to this latest security breach. The two payment networks are not connected in any way.

This type of information theft at point-of-sales systems is common. In 2016, data breaches reported by retail stores and restaurants increased 40%. In February of this year, InterContinental Hotels Group (IHG) were the victims of a breach involving data-stealing malware. Just days later, the fast food giant Arby’s said they discovered a similar type of malware inside the payment systems in one-third of their stores nationwide.

In April of 2017, Chipotle detected unauthorized activity on its network. The company released a statement saying that it believed some of their customers’ card information for transactions between March 24 and April 18 were in the hands of hackers. Just one month later, some Brooks Brothers customers had their card information stolen after an individual placed malicious software on certain payment processing systems in the stores.

Just days ago, KrebsOnSecurity alerted the fast food chain Sonic that millions of stolen credit and debit card numbers belonging to Sonic customers were for sale on the Dark Web. Sonic has locations in 45 states, but the company is unsure of which locations were affected by the security breach.

Customers of these companies or anyone who thinks their sensitive personal information is in the wrong hands should log into their account immediately and change the password to prevent the account from being hijacked. Even if the company where the data breach occurred says their customer information is encrypted and therefore not available to hackers, it’s likely that those encryption methods are hack-able, as well.

Having different passwords made up of a combination of characters and letters for each account is crucial, yet many people still use the same password across many accounts. If committing several complicated passwords to memory is too much work, simply use a password manager. Google has one built-in to their Chrome browser.

Federal law limits consumer liability for fraud on credit card accounts. Card customers are responsible for no more than $50 in fraudulent charges, no matter when they call the card company to report the theft. To get the same benefit with a debit card, the customer must contact the issuing bank to report possible fraud within two days of the unauthorized charges. Between the two-day limit and 60 days, the card holder may be responsible for as much as $500 in fraudulent charges. If they wait longer to report the theft, the bank has no legal responsibility to cover the charges.

If you think your information has been compromised in the Whole Foods taproom and restaurant hack, contact your credit card issuer or your bank immediately.

Whole Foods says it is working closely with local law enforcement and a cybersecurity forensics team to learn more about the hack and learn the identity of the thieves.

See all posts →