Organic panic as top Whole Foods supplier becomes latest victim of retail hackers

The primary organic food supplier for Whole Foods has been forced to pull down some of its systems following an apparent cyberattack.

United Natural Foods (UNFI) took urgent action after detecting "unauthorised activity". The attack follows a string of incidents in the UK involving big names like M&S, Harrods and the Co-op as well as attacks on brands like Cartier and North Face.

It is not yet known whether ransomware is involved and the true extent of the disruption remains unclear.

However, on Reddit people claiming to be both Whole Foods customers and employees have shared pictures of empty shelves - raising fears that posh foodies' fave products could become temporarily unavailable.

Based in Rhode Island, UNFI runs 53 distribution centers across the US, delivering both fresh and frozen products to more than 30,000 locations. Whole Foods accounts for approximately one-quarter of its $31 billion in annual net sales.

The incident serves as a grim reminder of the growing risk that hackers now pose to businesses of all shapes and sizes, as well as people of all socioeconomic backgrounds.

Currently, groups like Scattered Spider are waging a mercenary campaign against individual brands. Yet if threat actors can disrupt the supply chain of a high-end retailer, they can bring down others on a much larger scale.

A financially motivated attack on a major high-end retailer might leave rich folks at risk of being unable to buy Himalayan Momo Dumplings or compostable cling film.

But a wider, more concerted and coordinated effort from a nation-state actor in a rival nation could potentially bring down key pillars of the supply chain - a particular problem in an island nation like the UK which imports up to half of its food (and has a government which is not exactly known to be a friend to farmers).

What happened to United Natural Foods (UNFI)?

In an 8-K filing with the U.S. Securities and Exchange Commission (SEC), UNFI said it had activated its incident response plan and implemented "containment measures including proactively taking certain systems offline".

This has "temporarily impacted the Company’s ability to fulfill and distribute customer orders".

UNFI is now working with law enforcement and cybersecurity professionals to investigate the outage, implementing workarounds where possible to continue servicing its customers as it works to bring systems back online.

In a statement, UNFI said: "As soon as we discovered the activity, an investigation was initiated with the help of leading forensics experts and we have notified law enforcement.

"We are assessing the unauthorised activity and working to restore our systems to safely bring them back online. As we work through this issue, our customers, suppliers, and associates are our highest priority. We are working closely with them to minimise disruption as much as possible."

Panic on the High Street: Why are hackers targeting retail?

The UNIF incident is one of a long line of incidents involving prominent retailers.

Michael Freeman, Head of Threat Intelligence, Armis, said it was a "stark reminder that the retail industry remains a highly sought-after target".

"There appears to be no end in sight," he said. "This is more than a wake-up call to retailers to evolve their cybersecurity playbooks. It requires a mindset shift and retailers should take all real world attack vectors into consideration so they can truly protect what matters."

Attacking the supply chain have serious "ripple effects" from empty shelves to delayed deliveries at hundreds of retailers, said Andrew Lintell, General Manager, EMEA at Claroty

"Attackers bet on this urgency to cause maximum disruption," he pointed out. "The financial losses speak for themselves. Over 70% of food and beverage organisations suffered financial losses of at least $100,000 in the past year, with nearly 30% reported losses exceeding $1 million. "

"To defend against this, organisations must strengthen segmentation between IT and OT networks to limit the blast radius of attacks. Continuous monitoring and anomaly detection is also key alongside rigorously assessing third-party risks, such as supplier access to core systems. Recovery planning is also critical to ensure resilience is built into every layer of operations.

"We must move quickly from reactive to proactive security, because in today’s threat landscape, no link in the supply chain is too small to target.”

Walking in to find out UNFI is down
byu/swootnewt inwholefoods

Did Reddit break the story?

News of a potential outage first began to circulate on Reddit two days ago, when one person wrote: "Anyone else noticing something off with UNFI?"

In a megathread discussing the outage, dozens of people claiming to be employees shared their worries about the outage. Many of the reports are too legally sensitive for us to publish.

Employees are concerned about the aftermath of the incident and shared rumours about the level of disruption it has caused.

We have not been able to visit a Whole Foods from our home here in the wilds of the UK - so do not know whether it has run out of certain products.

But the risks of delays to any company which produces fresh food are clear. If the systems go down and operations cease for a period of time, there is a risk that food goes off and the company loses money.

Any incident involving food waste also has environmental implications, particularly if a company has policies in place which prevent it giving leftover food to the community.

So, despite our previous jokes about only well-heeled folks being impacted by this incident, the potential sustainability impacts also need to be discussed.

UNFI is recognised for its dedication to sustainability and the delivery of fresh, organic food.

"Retail businesses are uniquely attractive – and vulnerable – targets."

The sheer amount of customer data retailers hold makes them an obvious target for financially motivated cyber criminals. For state-linked threat actors, attacks on the supply chain carried a double bonus of damage to an enemy economy as well as a potentially substantial payday.

Warren O’Driscoll, Head of Security Practice at NTT DATA UK&I, said: "With the United Natural Foods attack, ransomware threat actors clearly taste blood in the water. In this spree of outages, every payout has made them stronger, bolder, and harder to stop.

"For the state-backed attackers, they’re working for a double reward: a hit to the affected country’s GDP, as well as an under-the-table payout from a company with their back against the wall."

"Unlike critical infrastructure or financial services, the retail sector isn’t under the same regulatory spotlight. That means the maturity bar is typically much lower, creating a range of softer targets for motivated threat actors. For many retailers, even the security basics would be a big step up from where they are now, and this may cost some of them dearly when the worst happens." 

O’Driscoll also warned that businesses were failing to implement tough new card rules which would protect users' data and make attacks on retailers less damaging (and therefore less appealing to the bad guys).

 “To protect cardholders’ information, as of March 31st, all UK retailers who accept card payments must comply with the PCI Data Security Standard (DSS)," he added. "The problem is that only 14.3% of businesses had achieved full compliance as of 2023.

"I understand it’s a tough bar for retailers to clear, but it exists for a reason. Anybody who shops with a card, provides a delivery address, or shares their email for an e-receipt should care about whether retailers take these measures seriously."

We have written to Whole Foods for comment.

Do you have a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn