Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices
Security Researcher Finds Unprotected Voter Files Online Affecting Up To 1.8 Million Chicagoans

Whole Foods Says Data Breach 'Resolved'

Whole Foods Market logo During the weekend, Whole Foods Markets announced in a customer notification update that it had "resolved" a recent data breach involving the unauthorized access of customers' payment information in certain stores. The customer notification update stated:

"Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity..."

Reportedly, the breach included about 100 locations. The company operates about 473 stores nationwide.

The breach method used by criminals and the types of payment information accessed:

"The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017."

Earlier this year, Amazon acquired Whole Foods for about $13.7 billion. Whole Foods said that Amazon.com systems do not connect to the payment systems at Whole Foods stores, and that transactions on the Amazon.com site were not affected. An October 20, 2017 press release repeated most of the same information as the customer notification.

Besides the replacement of affected point-of-sale terminals, the customer notification did not elaborate about exactly how the breach was "resolved," how the malware was installed in the terminals, nor how the resolution will keep this type of breach from happening again. Often, a resolution includes the hardening of certain computer systems, improved malware detection software, improved managerial oversight, and/or the training of employees. This seems especially important for retail stores with multiple, exposed payment terminals.

Within the Whole Foods website, its September 28, 2017 press release headline links to the same October 20th customer information update. It seems the company deleted the September press release. Why do this? It makes it difficult for readers to determine what's new or changed since the September 28 disclosure.

Plus, hacking details matter. As readers of this blog know, unattended, free-standing payment terminals in retail stores have long been high-value targets for criminals armed with skimming devices. Was the malware introduced locally (e.g., manually by a person) at each terminal or centrally through the company's computer network? Sadly, the update did not explain. Hopefully, future updates will.

Until then, it's hard for customers to trust that the breach was fully "resolved." Replacing the affected terminals is no guarantee that the malware won't be re-introduced into the replacement terminals. If I continue to shop there, I'll use cash. What do you think?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

Why did Whole even retain its customers’ payment information once it was paid? Did Whole Foods’ customers give Whole Foods permission to keep their payment information on file, after their transactions were completed?

More and more companies want to indefinitely keep a customer’s payment information on file even after the company has been paid. I recommend that customers resist this, because, as readers of this blog know, data breaches that disclose customers/users’ personal information have become routine, and no company is impervious to data breaches, and most companies’ computer systems are vulnerable to skillful and determine criminals or their employees malfeasance or misfeasance.

So I think it is wise to eliminate our payment and other personal data from a company’s computer systems whenever possible, and nothing is sacrificed by doing so, except perhaps some inconvenience.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)