At the end of September, the Amazon-owned grocery chain Whole Foods Market notified customers a security breach. According to the security breach notification issued by the company, cybercriminals were able to gain unauthorized access to credit card information for customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores.
The Amazon-owned company notified customers last week that the payment systems security breach affected nearly 100 locations across the United States. The company published a page to provide users details about the allow them to check if the store they made was compromised by the hackers.
“Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores.” states the company.
“These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected.”
According to the company, crooks may have stolen payment cards at taprooms and full table-service restaurants using a malware.
Whole Foods hired a cybersecurity forensics firm to conducted the investigation that discovered the intrusion occurred as early as March 10.
Crooks used a PoS malware designed to siphon card data, including cardholder names, account numbers, card expiration dates, and internal verification codes.
The affected locations are in various cities in Alabama, Arizona, Arkansas, California, Colorado, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Maine, Michigan, Minnesota, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Tennessee, Texas, Virginia, Washington and Wisconsin. The largest number of affected locations is in California.
“The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017.” continues the firm.
The supermarket chain pointed out that payments made at primary store checkout systems were not affected, the breach does not impact Amazon.com.
The page set up by the company also provides suggestions to the customers on how to protect themselves from fraudulent activities involving their payment cards.
(Security Affairs – Whole Foods Market, security breach)