A cyberattack on a primary organic food distributor has led to empty shelves at Whole Foods stores across the country.
The company, Rhode Island-based United Natural Foods Inc. (UNFI), is one of the country’s largest organic food distributors and a major partner with Whole Foods. It became aware of a cyberattack on June 5, according to a filing with the Securities and Exchange Commission, and took some of its systems offline, hampering its ability to distribute orders to customers.
A spokesperson for United Natural Foods declined to share specifics about the cyberattack, saying it was an ongoing operation. But it comes in the wake of a series of cyberattacks where a notorious cybercriminal gang has been targeting major retail customers with ransomware, rendering key systems inoperable as hackers demand payment.
A corporate Whole Foods spokesperson apologized for the inconvenience and said the company is working to restock shelves quickly, but declined to answer specific questions.
Two Whole Foods employees, who were not authorized by the company to speak with the press about the incident, told NBC News that the shortages were significant.
“It’s affecting operations in a very, very significant way,” an employee at a Sacramento Whole Foods said. “Shelves don’t even have products in some places. The shipments we receive are not what we need, or we did need it but it’s too much of one product because UNFI can’t communicate with stores to get proper orders.”
A Whole Foods employee in North Carolina said: “We had to shut down our sandwich station on Tuesday because we didn’t get any bread delivered. My store almost ran out of trash bags the other day.”
The UNFI spokesperson said there was not a clear timeline for when distribution would return to normal, but that on Thursday it had begun gradually bringing some systems back online.
John Braley, the director of the Food and Agriculture-Information Sharing and Analysis Center, a nonprofit cybersecurity advisory nonprofit for the food and agriculture industry, said the food supply chain’s complexity means that if a company is suddenly hampered by a cyberattack, it can cause trickle-down effects that keep food from reaching customers.
“For a standard, moderately processed food product found in a major supermarket, 10 or more companies can be involved in the supply chain. Even fresh produce — such as an apple sold at a farmers’ market — may involve multiple companies, such as the farm itself, local distributor/food hub, and the retailer,” he said in an emailed statement to NBC News.
Beyond Whole Foods, smaller companies have also faced shortages from UNFI being unable to automatically process orders. The Community Food Co-Op in Bellingham, Washington, told customers on Facebook Monday that, as UNFI is its primary distributor, “you’ll see sparsely stocked shelves in some of our aisles” and asked customers to limit purchases to two of each item.
Caitlin Smith, a logistics coordinator at C.R. England, a trucking and logistics company, told NBC News that the UNFI outage has left her company unable to deliver refrigerated foods to a dairy processing customer.
“I have three drivers sitting stuck because of this whole UNFI debacle,” she said.
The costs from the cyberattack will end up being passed onto the consumer, she said. “At the end of the day, you and I as customers will end up paying for this. So it does have a domino effect.”
Ransomware attacks are common. But a particularly vicious campaign has hit major retailers in recent months. At least three major British retailers were hit earlier this year, including Marks & Spencer, which had to pause online orders for weeks; the Co-op, which saw hackers leak significant customer data to the BBC; and Harrods, which had to restrict some internet access at stores.
Google said last month that those attacks overlap with a loosely affiliated group the cybersecurity industry has dubbed “Scattered Spider,” largely English-speaking young men who have mastered the ability to trick people into giving them restricted online access. The same group was accused of breaking into Las Vegas casino companies in 2023. It has begun targeting major American retailers in earnest, Google said.
Victoria’s Secret was also the victim of a cyberattack in May, though it’s not clear if the same group was responsible.
