On Thursday Whole Foods publicly revealed that a data breach had potentially compromised its customers’ credit card details. But a day later, we still know nothing about which customers, or how many of them, may have been affected.
In response to Gizmodo’s inquiry on Thursday, Whole Foods declined to say how many of its stores may have been involved or where they were located. The company did not respond Friday when asked how long it was aware of the breach before alerting the public.
In its only statement so far, Whole Foods said it was alerted to a potential breach after it “received information regarding unauthorized access of payment card information.” That language appears to imply that Whole Foods did not detect the compromise itself, but was informed by a third party instead.
Rep. Diana DeGette of Colorado, a frequent and vocal proponent of post-breach consumer protection, told Gizmodo on Friday that Whole Foods must expedite its disclosure process if it means to help customers protect themselves from potential fraud. Timeliness with regard to breach disclosure is key in determining whether a company is reacting appropriately; Equifax was roundly criticized, for instance, for being too slow to notify consumers.
“Whole Foods needs to tell the whole truth about this incident, and soon,” said DeGette, the ranking Democrat on the House subcommittee on oversight and investigations. “Customers need to know whether and how they were affected, when, and in what way. How many people, and in which regions of the country, are at risk? How long ago did Whole Foods learn of it, and what steps have been taken to mitigate the damage?”
Whole Foods has been quick to disclose information about systems it says were definitely not compromised; for instance, it said the apparent breach did not impact Amazon, which acquired the supermarket chain last month.
What’s more, Whole Foods claims only customers of bars and table-service restaurants located inside its stores could be affected. And while the company noted that not every store has a tap room or in-store restaurant, there are a significant number of them spread across the country: As of November, 180 of Whole Foods’ 464 stores had bars or taprooms, according to The Mercury News.
Whole Foods has said that upon learning of the breach it obtained the help of a leading cybersecurity forensics firm and further notified law enforcement; but whether that happened days, weeks, or months ago, the company did not specify. All it has said is that the investigation is “ongoing” and that it will “provide additional updates as it learns more.”
Hopefully that’s sooner than later.
Update, 7:36pm: Whole Foods set up a new website that allows customers to see if a store they’ve visited is involved in the breach. The website does not offer any further instructions to customers potentially compromised.
A Whole Foods spokesperson told Gizmodo by phone that “about 117” venues were involved. They declined to specify when exactly the company learned that its point-of-sale systems had been compromised. The spokesperson further declined to say whether customers using mobile payment services, such as Apple Pay, have any reason to be concerned.
Additional reporting by Kate Conger.