During the weekend, Whole Foods Markets announced in a customer notification update that it had "resolved" a recent data breach involving the unauthorized access of customers' payment information in certain stores. The customer notification update stated:
"Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity..."
Reportedly, the breach included about 100 locations. The company operates about 473 stores nationwide.
The breach method used by criminals and the types of payment information accessed:
"The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017."
Earlier this year, Amazon acquired Whole Foods for about $13.7 billion. Whole Foods said that Amazon.com systems do not connect to the payment systems at Whole Foods stores, and that transactions on the Amazon.com site were not affected. An October 20, 2017 press release repeated most of the same information as the customer notification.
Besides the replacement of affected point-of-sale terminals, the customer notification did not elaborate about exactly how the breach was "resolved," how the malware was installed in the terminals, nor how the resolution will keep this type of breach from happening again. Often, a resolution includes the hardening of certain computer systems, improved malware detection software, improved managerial oversight, and/or the training of employees. This seems especially important for retail stores with multiple, exposed payment terminals.
Within the Whole Foods website, its September 28, 2017 press release headline links to the same October 20th customer information update. It seems the company deleted the September press release. Why do this? It makes it difficult for readers to determine what's new or changed since the September 28 disclosure.
Plus, hacking details matter. As readers of this blog know, unattended, free-standing payment terminals in retail stores have long been high-value targets for criminals armed with skimming devices. Was the malware introduced locally (e.g., manually by a person) at each terminal or centrally through the company's computer network? Sadly, the update did not explain. Hopefully, future updates will.
Until then, it's hard for customers to trust that the breach was fully "resolved." Replacing the affected terminals is no guarantee that the malware won't be re-introduced into the replacement terminals. If I continue to shop there, I'll use cash. What do you think?