The grocery chain, which was acquired by Amazon for $13.7 billion in late August, announced Thursday it “recently received information regarding unauthorized access of payment card information.”
Customers who bought groceries at 56 stores throughout the country were not affected by the breach, but instead, those who frequent the in-store table-service restaurants and taprooms at those places may have had their payment card information accessed as a different point of sales system is used there. The stores’ main checkout registers were not a part of the breach.
If the whole Equifax debacle changes anything at all, it should be the public perception of what a responsible disclosure looks like in the wake of a devastating data breach.
That’s a lesson that, incredibly, Whole Foods seems determined to ignore.
The data breach was made public two weeks ago, but the affected stores were not announced at that time, as the company investigated the hack. It was uncertain whether the security breach reached all 470 Whole Foods locations, according to the Associated Press, but that number was later reduced.
It’s been 12 days since Whole Foods first disclosed that its point-of-sale systems were compromised, leaving an untold number of credit card holders at risk. The following day, Gizmodo reported that as many as 117 venues may have been impacted. At the same time, the company set up a website that allows the public to see which stores are involved which included two San Francisco locations, three in the South Bay, and other parts of the Bay Area. But since then, the company has gone dark.
To date, Whole Foods’ initial statement on September 28th represents the entirety of its public disclosure. In an email to Gizmodo on Monday, the company again declined to say when the company first discovered the breach. Did it wait days, weeks, or months to notify the public? That is information Whole Foods has readily on hand and is refusing to divulge. The supermarket chain has further refused to say whether any potentially compromised customers have been contacted individually.