New York
CNN
—
Whole Foods employees say a major cyberattack on a leading distributor has left some store shelves and freezers empty.
“Our frozen cooler is empty, our bread hearth is bare and customers are increasingly upset,” one barista and bakery employee at a Whole Foods located in Arkansas told CNN.
The employee, who requested anonymity because she was not authorized to speak to the media, complained there is a “complete lack of transparency” about the disruption and that “nearly every department has been heavily impacted.”
United Natural Foods, the primary food distributor to Whole Foods, disclosed the damaging cyberattack and disruption to its business on Monday, sending its stock plunging 7%. UNFI (UNFI) shares sank more than 10% on Tuesday, leaving it down about 17% since disclosing the cyberattack
It’s unclear how widespread the supply disruptions to Whole Foods are, but an update from UNFI on Tuesday suggests significant problems. The company said it’s currently shipping to customers only on a “limited basis.”
Whole Foods would not provide details on how many of its locations have been impacted by the cyberattack. However, a Whole Foods spokesperson told CNN that the Amazon-owned grocery store is working to restock shelves as quickly as possible and apologized to customers for any inconvenience.
The Whole Foods barista from Arkansas shared photos with CNN that showed thinly stocked shelves.
“We’ve spent time deep-cleaning our freezers – an unusual task – simply because our normally overstocked freezers are now completely bare,” the Whole Foods employee said.
Another Whole Foods employee who spoke to CNN on condition of anonymity said her California location has been unable to accept or process orders. “We’ve had quite a few customer complaints,” the employee told CNN.
Multiple customers and apparent employees on social media reported empty shelves and delivery problems.
One user on Reddit posted a photo of an empty refrigerator with a sign saying the store is “experiencing a temporary out of stock issue for some products.”
The incident underscores how cyberattacks on delicate supply chains can have real-world impact for customers and employees.
UNFI said “unauthorized activity in our systems” discovered last Thursday forced it to completely shut down its systems by late Friday.
“We’re working as rapidly and safely as possible to bring our systems back online,” UNFI CEO Sandy Douglas said during a conference call with analysts.
Douglas said the company is working with customers and suppliers “transparently to do everything that we can possibly do to help them manage through the short-term difficulty that the situation creates.”
Douglas said he’s been in touch with many customers and the conversations have been “extremely constructive and collaborative.”
The UNFI CEO defended his company’s cybersecurity efforts and pledged to review existing protocols.
“The threat actors out there are always looking for ways to innovate and find new ways to penetrate systems,” Douglas said. “We just got penetrated. So we will be continuing to look at every aspect of our defense, every aspect of how our tools are working and what may be necessary to bolster it going forward.”
During Tuesday’s conference call, UNFI executives faced questions about the decision to wait until Monday morning to disclose the breach.
One analyst noted that UNFI shares started falling before last Thursday, when the company says it became aware of the cyberattack. “It very much appears someone knew this was going to happen,” said the analyst, who also asked if the Securities and Exchange Commission is involved.
Indeed, UNFI shares fell sharply early last week, including a 9% plunge on June 3 and a 4% drop on June 4 despite an absence of official company news.
Douglas declined to comment on regulatory authorities but stressed that “there is no way we could have communicated any faster.” The UNFI CEO added that the company has engaged with “all the authorities” and has reported “all that we know” to the FBI.
The FBI declined to comment on the incident. A spokesperson for the SEC said the agency does not comment on the existence or nonexistence of a possible investigation.
CNN’s Jordan Valinsky contributed to this report
