Whole Foods Investigates Payment Card Data Breach

Whole Foods Market said it has investigated and resolved a security incident previously announced on September 28, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores.

These venues use a different point of sale system than the company’s primary store checkout systems, the company said, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23. The company conducted an investigation, obtained the help of a cyber security forensics firm, and contacted law enforcement. Whole Foods Market said it replaced these point of sale systems for payment card transactions and stopped the unauthorized activity.

The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information— which could have included payment card account number, card expiration date, internal verification code, and cardholder name— of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017, and no later than September 28, 2017.

The company said that Amazon.com systems do not connect to these systems at Whole Foods Market and that transactions on Amazon.com have not been impacted.