535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

October 21, 2017

Amazon Whole Foods Cyber Breach: What Acquirers Must Learn

Whole Foods Market has resolved the cybersecurity incident announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company's primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity.

The company has subsequently apologized for any inconvenience or concern this may have caused shoppers.

The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information-which could have included payment card account number, card expiration date, internal verification code, and cardholder name-of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017.

Although the company doesn’t state it, we must assume the software further sent the data to the hackers responsible for this cyberattack.

The incident is a tremendous embarrassment to Amazon, a company synonymous with technology and keeping credit cards secure online. Moreover, one would imagine that the before making the purchase of Whole Foods, that due diligence would have taken place, ensuring the IT systems were in order and cybersecure.

This is an especially reasonable thing to do in light of data breaches at Home Depot, Target, Dairy Queen, and Kmart which have all been linked to POS malware variants, including Backoff, BlackPOS, vSkimmer, or TriForce.

Any reputable MSP or MSSP would have been able to go into Whole Foods locations and perform an auditing and documentation function of the company’s IT systems and spotted the issue. Companies with the least bit of experience would have started at the PoS systems and worked outwards. POS systems are one of the primary targets of hackers. Moreover, credit card theft is extremely damaging to relationships with customers.

Before your company decides to merge or acquire another company, you really must hire an expert in IT Services and cybersecurity to ensure your orhanization knows what it is buying.

Here are some of the areas all organizations looking to promote a cybersecurity culture need to focus on.

1.    Cybersecurity training must be done regularly.

2.    Auditing and documentation must be performed regularly to ensure systems are secure.

3.    Anomaly detection should be running constantly to detect threats as they emerge.

4.    Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.

5.    Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.

6.    An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.

To ensure your organization is safe – even if you have internal IT, hire an experienced MSP or MSSP like Apex Technology Services.

Related Articles