Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity. Whole Foods Market apologizes to customers for any inconvenience or concern this may have caused.
The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017.
The Amazon.com systems do not connect to these systems at Whole Foods Market. Transactions on Amazon.com have not been impacted.
Whole Foods Market has been working closely with the payment card companies. Payment card network rules generally state that cardholders are not responsible for fraudulent charges that are reported in a timely manner. Customers should promptly report any unauthorized charges to the bank that issued their card. The phone number to call is usually on the back of the payment card.