Whole Foods reportedly directed workers to downplay increasingly empty aisles after a cyberattack on its main distributor crippled deliveries and sent ripple effects through the retail food supply chain.
The Amazon-owned supermarket chain posted vague notices about “temporary supply challenges” as frustrated customers were greeted with bare shelves at several locations, according to TechCrunch.
In an internal memo obtained by the outlet, Whole Foods told staffers that the cyberattack on United Natural Foods Inc. (UNFI) is its “ability to select and ship products from their warehouses.”
“This will impact our normal delivery schedules and product availability,” the memo added.
The Rhode Island-based wholesaler, which supplies more than 30,000 stores including Whole Foods, reported a “cybersecurity incident” last week that forced it to take critical systems offline, halting operations and delaying shipments of food and other essentials to supermarkets across the US and Canada.
“We are working to restock our shelves as quickly as possible and apologize for any inconvenience this may have caused for customers,” Whole Foods spokesperson Nathan Cimbala told The Post.
UNFI confirmed in a regulatory filing that it had discovered “unauthorized activity in our systems” late last week and had taken portions of its network offline in response.
On Wednesday, the company said it had begun restoring its ordering and receiving systems in phases.
“We continue working steadily to safely restore our systems and provide the services our customers and suppliers know and expect from us,” said UNFI spokesperson Grace Turiano.
Grocery chains dependent on UNFI’s massive distribution network are being forced to improvise. In New York City, Morton Williams has already begun seeking alternate sources for staples such as dairy, frozen foods, and bottled beverages.
“It’s bringing the company to a standstill with no orders generated and no orders coming in,” Steve Schwartz, Morton Williams’ director of sales, told The Post earlier this week.
Across the country, store employees and shoppers are feeling the strain.
One bakery worker posted to Reddit that they had to cancel several graduation cake orders after deliveries of key ingredients failed to arrive.
The attack on UNFI is the latest in a string of cyber incidents targeting major consumer-facing companies. Just last month, Victoria’s Secret was forced to take its website offline and delay its earnings report after a similar breach.
“What we are seeing with UNFI and, just last week, with Victoria’s Secret, reflects a growing trend: threat actors are targeting critical infrastructure and high-traffic consumer platforms for maximum disruption and financial leverage,” Adrianus Warmenhoven, a cybersecurity expert at NordVPN, told TechCrunch.
UNFI has not disclosed the identity of the attackers or their demands, if any. CEO Sandy Douglas told investors the breach was discovered Friday and that systems were intentionally shut down as a precaution. But employees say the road to recovery could be long.
“It’s a mystery as of yet what is going to happen and how long it’s going to be until things are back to normal,” wrote one Reddit user claiming to work for UNFI. “Even when they can start to get back on track it will have to be done in phases.”
UNFI, which reported $8.1 billion in quarterly sales for the period ending May 3, saw its shares drop 8.5% following news of the breach — a sign of investor concern over the scale and duration of the disruption.
The timing couldn’t be worse. With supply chains still fragile after years of pandemic-related strain, the cyberattack has exposed vulnerabilities in the food industry’s logistical backbone.
For many retailers, UNFI is a critical link between manufacturers and store shelves — and there’s no quick substitute.
As UNFI works to get back online and Whole Foods hustles to restock, shoppers may continue to encounter gaps in inventory.
The Post has sought comment from UNFI.
