The Daily Swig Web security digest

Whole Foods resolves in-store data breach

James Walker | 26 October 2017 at 11:00

US grocery chain replaces compromised POS systems.

Whole Foods Market, the health-focused supermarket chain with more than 450 stores in North America and the UK, said it has resolved the incident announced last month involving unauthorized access of payment card information.

On September 28, Austin-based Whole Foods alerted customers to a data breach that took place at certain in-store facilities, such as tap rooms and table service restaurants, which used a different POS system than the company’s primary store checkout systems.

The investigation determined that unauthorized software was being used to copy customers’ payment card information – possibly including expiration date, internal verification code, and cardholder name – between approximately March 10 and September 28, 2017.

Whole Foods said it became aware of the breach on September 23, and has now replaced the compromised POS systems.

While the company failed to disclose the scale of the hack, Fox Business reported that around 100 taprooms and restaurants in 30 US states were affected over the six-month period.

The grocery chain, which was acquired by Amazon for $13.7 billion in August, assured customers that the breach was limited to its bricks and mortar venues and did not impact online transactions.

“Whole Foods Market apologizes to customers for any inconvenience or concern this may have caused,” the company stated.

“Payment card network rules generally state that cardholders are not responsible for fraudulent charges that are reported in a timely manner. Customers should promptly report any unauthorized charges to the bank that issued their card.”