Shopping at Whole Foods used to be one of my simple pleasures. The supermarket chain, in its earlier years, offered healthy, hard-to-find products long before wellness went mainstream. The stores had a distinct scent—earthy, yeasty, and herbal—that reminded me of what were once known as “health food stores.” Many employees, often tattooed before tattoos were fashionable, took genuine pride in their work.
Whole Foods’ soul was ripped out in 2017 when Amazon acquired the chain for $13 billion. I no longer experience any joy shopping at the company’s stores, which are sterile and aren’t particularly welcoming. Were it not for its selection of premium yogurts, I likely wouldn’t shop there at all.
To be fair, Amazon’s ownership has lowered prices. I’ve saved hundreds of dollars on my favorite yogurts, which are often on special. But other changes still stick in my craw.
At my local Whole Foods in West Los Angeles, much of the produce is imported from Mexico—even though California’s agricultural belt is just as close, if not closer. The product mix now mirrors what’s sold at my neighborhood Ralphs, whose produce section is just as good, if not better. The signature granola-crunch smell is gone. The cashiers, while efficient, don’t seem to enjoy their jobs, although they are decidedly nicer and more engaging than the baristas at the neighborhood Starbucks.
If Amazon achieves its automated utopia, those employees won’t be around much longer. Self-checkout kiosks already occupy lanes once staffed by human beings. And here’s why Amazon’s tech ambitions could easily spiral into one of America’s biggest nightmares.
Cold War Moscow?
This past Saturday night, I dropped into Whole Foods to grab some yogurt—and found bare shelves. The dairy case looked like a photo from Cold War-era Moscow. I assumed a fire sale had triggered a stampede. But a manager told me otherwise:
“Whole Foods was hacked earlier this week. We’re having supply chain issues.”
If there’s one grocery chain I’d expect to have impenetrable IT systems, it’s Whole Foods—especially with Amazon at the helm. Amazon doesn’t just run one of the world’s largest e-commerce platforms. It also powers the digital backbone of the global economy.
Amazon Web Services (AWS) stores and processes data for some of the supposedly most security-obsessed institutions on Earth: Wall Street banks, defense contractors, healthcare conglomerates—even U.S. intelligence agencies. If AWS stumbles, it isn’t just a tech hiccup—it’s a geopolitical event.
Turns out, it wasn’t Whole Foods’ internal systems that were breached. It was the network of United Natural Foods Inc. (UNFI)—the company’s Providence, Rhode Island-based distributor, which specializes in premium and organic foods. UNFI is Whole Foods’ biggest distributor, and its other customers reportedly include Walmart and Target. The company went public a year after Amazon bought Whole Foods.
According to Bloomberg, UNFI discovered the breach on June 5 after detecting intrusions into its systems. It then shut down key IT infrastructure and limited outbound shipments. CEO Sandy Douglas told investors the company was working with retailers on stopgap measures “wherever possible,” while efforts to bring systems back online could stretch into mid-June.
That’s nearly two weeks after UNFI discovered the hack.
UNFI notified the FBI and, as of this writing, the perpetrator remains unknown. Bloomberg didn’t speculate on who may have been behind the attack, but provided this meaningful perspective from Andrew Howell, vice president of government affairs at the cyber firm SentinelOne Inc.:
“One of the biggest pieces of magic of the American economy, particularly in the last 20 years, is our ability to have just-in-time delivery of goods right across the country, through neighborhoods and around the world,” Howell said. “And when you see situations like this happen, you realize how frail that system becomes.”
This isn’t the first cyberattack targeting the supermarket industry. Earlier this year, a cyberattack disrupted the e-commerce operations of Hannaford and impacted certain pharmacy and digital services elsewhere in the U.S. Hannaford operates nearly 200 supermarkets in four Northeastern states, including brands like Giant Food, Stop & Shop, Food Lion, and The Giant Company.
A group called Inc Ransom was linked to the Hannaford attack and reportedly threatened to release sensitive consumer data if its demands—which were not made public—weren’t met. Grocery Dive, a trade publication, reported that Inc Ransom has been active since mid-2023 and is still considered a live threat. The group is linked to attacks against other food companies and was also connected to a cyberattack on a Xerox subsidiary last year.
Despite providing a critical service, it doesn’t appear that UNFI places much of a premium on cybersecurity. On its website, the company highlights its diversity and sustainability efforts, while references to technology are framed around helping retailers “compete in an increasingly digital-first world.” There is little, if any, visible emphasis on cyber protections.
Bill Wilson, senior editor of Supermarket News, shares my skepticism.
“I’m guessing that the software (UNFI) has on hand to prevent these kind of attacks probably is not premium, high-end software,” Wilson said on The Grocery Guy podcast. “I don’t think they have an AI that’s going to prevent security breaches.”
There’s considerable anecdotal evidence that even major companies can’t be bothered to ensure their IT systems are protected with state-of-the-art cybersecurity. I’ve noticed that whenever there’s a major breach, trade publications and their readers seem to quickly deduce how it happened—often identifying basic lapses.
When Delta experienced a major IT meltdown last year that forced hundreds of flight cancellations and stranded passengers for days, Microsoft and the airline’s cybersecurity vendor both blamed the fiasco on Delta’s antiquated IT infrastructure. Wall Street, of course, doesn’t reward companies for maintaining robust digital networks—and there are no meaningful consequences for those whose systems are breached.
Just as a chain is only as strong as its weakest link, a company’s IT infrastructure is only as secure as its most vulnerable vendor. That’s why hospitals—despite storing some of the most sensitive consumer data—are often considered soft targets by hackers. Many hospital administrators have long treated cybersecurity as an afterthought, even as their systems grow more complex and interconnected.
To cut costs, hospitals increasingly outsource critical functions to overseas vendors whose networks are notoriously vulnerable. Hackers often exploit these third-party connections as backdoors, slipping into hospital systems through the less-secure networks of affiliated service providers.
I know of one Michigan hospital whose patients’ data has been compromised at least four times—possibly more. According to a cybersecurity source I correspond with, many hospitals are so poorly managed on the IT front that they often don’t even realize hackers are actively snooping around inside their systems in real time.
I’m mindful of former FBI Director Christopher Wray’s warning last year about the serious risks China poses to U.S. national and economic security—and the reality that America’s critical infrastructure remains a prime target.
“The PRC [People’s Republic of China] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage,” Wray said at the Vanderbilt Summit on Modern Conflict and Emerging Threats. “Its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
My cybersecurity source told me that China is believed to already possess critical healthcare data on most Americans. Legions of hospitals have had their operations destabilized or disrupted due to cyberattacks. And despite the technological prowess of its Amazon parent, Whole Foods’ operations will have been disrupted for some two weeks due to a third-party vendor breach.
I can live without my premium yogurt. But I expect, within my lifetime, I’ll be forced to go without critical food staples—because the U.S. government, corporations, and consumers still don’t treat cybersecurity as a first-order threat.
They will when there’s no food to put in their stomachs.