How a Cyberattack at a Company You've Never Heard of Nearly Derailed My Anniversary Carrot Cake

CNET

2 days ago

Every year since we got married, my husband and I have celebrated our anniversary with a carrot cake. Some years it was from the amazing bakery in our old neighborhood, while others it was a questionably fresh effort picked up at a train station shop on the way home from the office, but often I would bake my own.
The funny thing is, neither of us really likes carrot cake. It just somehow ended up being the top layer of our wedding cake, so we have one every year. That's tradition for you.
This year, for our 20th anniversary, I had my mind set on baking. Throwing together a three-layer cake in the middle of a busy work day may sound daunting, but it's well within my skill set. And I was armed with a new recipe and a giant bag of carrots. I just needed a few key ingredients.
Always the procrastinator, I started filling my online shopping cart the night before. I also needed the makings for a fairly fancy dinner, as well as my regular groceries for the week. But to my surprise, the virtual shelves of my NYC-area Whole Foods were uncharacteristically bare. It brought back memories of the pandemic. Basic store-brand items that I buy every week like tortillas, pizza sauce and cheese were out of stock. And so were the raisins and cream cheese I needed for my cake.
Slightly panicked at that point, I remembered the news of a cyberattack at one of Whole Foods' major suppliers a few days before that forced it to take its systems offline. Some experts had speculated that it could affect store supplies, but I hadn't expected the impact to be so quick and so significant.
Cybercriminals have long-targeted retail companies, along with those that supply them, for both their money and data. They know that if they're successful in breaching those systems, retailers will likely pay to make the problem go away.
That said, this year has been particularly bad for cyberattacks on retailers, says Max Vetter, vice president of cyber at Immersive, which specializes in training companies for how to deal with online threats.
So far this year, retailers including Adidas, Marks & Spencer, Harrods, Cartier, Victoria's Secret and North Face have all sustained cyberattacks that affected their operations. And while Whole Foods' supplier, United Natural Foods, isn't technically a retailer, the impact of the attack on it continues to be felt by consumers.
"This is not normal," says Vetter, who worked in British law enforcement and as an intelligence analyst before joining Immersive. "We haven't seen this in retail and food any other year that I can remember."
For companies, that can mean millions in lost sales and unexpected costs related to dealing with attacks. In the case of United Natural Foods, its stock price tumbled on the news, dropping about 20% over the past week.
For most consumers, it means aggravation more than anything. In my case, I was able to find my raisins and cream cheese at a brick-and-mortar store, but I paid more than I wanted to and it took time I didn't have out of my day.
But for some shoppers, the consequence can be more dire. If the only store in a remote town can't restock its shelves, that can mean no food for people without the means to get to another one.
"That's something definitely to be aware of and I don't think we've thought enough about this," Vetter said.
Why attackers attack
When online attackers go after retailers, they're looking for two things: money and data.
If they're able to lock a company's system up with ransomware, it's likely that the company will pay up to get its systems back up and running. The longer they're down, the more money the company will lose. On top of that, blank websites just aren't a great look for retailers. Shoppers who fear for their data may choose to shop somewhere else.
And the attackers are after their data. Credit card numbers and online account credentials can obviously be sold in bulk to fraudsters, but so can less obvious customer data like names, emails, mailing addresses and phone numbers.
Rewards points tied to loyalty programs run by food and restaurant companies are also as good as cash to cybercriminals, says Rob Ainscough, Silverfort's chief identity security advisor for Europe, the Middle East and Africa.
Double extortion attempts, where attackers lock a company's system down with ransomware and then steal and threaten to release a company's customer data, have also become common, he says.
"So if they don't get paid on the ransom, they're going to try to get paid on the data," said Ainscough, who spent a decade heading online security for a large multinational retailer before joining Silverfort.
Arguably, that's what attackers are going for when they target any kind of company, so it remains unclear why they seem so fond of retailers this year.
Vetter says it could be because retailers are seen as easy targets. While banks and other financial institutions have long boasted strong online security practices, and industrial companies have also boosted their defenses in recent years in the wake of high-profile attacks such as the 2021 ransoming of Colonial Pipeline, retailers have been slower to do the same.
It can be tough, he says, for security officials at companies that aren't particularly tech-focused to get the resources they need from executives who may just see cybersecurity as a cost. Unlike other kinds of flashier technology, when cyberdefenses work, they go largely unnoticed.
"I think retail is one of those areas that probably just didn't think it was much of a problem," Vetter said, referring to the possibility of cyberattacks. "Obviously, I think they do now."
Supply chain dangers
It's one thing if a cyberattack keeps you from ordering some new clothes or jewelry. It's another when it keeps you from putting food on your table.
The attack on United Natural Foods and the subsequent shortages at many Whole Foods stores brought to light exactly how fragile the food supply chain can be. But Whole Foods, with its affluent customer base and locations in big cities and suburban areas, isn't the only store its customers have to shop at.
That's not true for many of the members of the Co-Operative Group. It's a UK-based chain of stores that are owned by its members and serve more than 17 million people in the UK, many of them retirees who live in remote areas and may not be able to drive.
For some, they're the only stores in places like small villages on islands off the coast of Scotland where people might need to get on a ferry to shop somewhere else, Vetter says. So when Co-op got hit with a cyberattack last month, it had a lot of people panicking.
After detecting the breach, Co-op quickly took its systems offline, possibly preventing them from becoming infected with ransomware. But the disruptions to its supply chain and logistics operations had a huge effect on deliveries to stores, whose shelves were quickly left bare.
Co-op was left scrambling to prioritize and figure out what stores absolutely needed to be resupplied, despite the group's limited operations.
"There's a real human risk there of starvation," Vetter said. "You don't think of a relatively small store as critical to national infrastructure, but for some people it is."