On Thursday Whole Foods in the US publicly revealed that a data breach had potentially compromised its customers' credit card details. But a day later, we still know nothing about which customers, or how many of them, may have been affected.
In response to Gizmodo's inquiry on Thursday, Whole Foods declined to say how many of its stores may have been involved or where they were located. The company did not respond Friday when asked how long it was aware of the breach before alerting the public.
In its only statement so far, Whole Foods said it was alerted to a potential breach after it "received information regarding unauthorised access of payment card information." That language appears to imply that Whole Foods did not detect the compromise itself, but was informed by a third party instead.
Rep. Diana DeGette of Colorado, a frequent and vocal proponent of post-breach consumer protection, told Gizmodo on Friday that Whole Foods must expedite its disclosure process if it means to help customers protect themselves from potential fraud. Timeliness with regard to breach disclosure is key in determining whether a company is reacting appropriately; Equifax was roundly criticised, for example, after being too slow to notify consumers.
"Whole Foods needs to tell the whole truth about this incident, and soon," said DeGette, the ranking Democrat on the House subcommittee on oversight and investigations. "Customers need to know whether and how they were affected, when, and in what way. How many people, and in which regions of the country, are at risk? How long ago did Whole Foods learn of it, and what steps have been taken to mitigate the damage?"
Whole Foods has been quick to disclose information about systems it says were definitely not compromised; for instance, it said the apparent breach did not impact Amazon, which acquired the supermarket chain last month.
What's more, Whole Foods claims only customers of bars and table-service restaurants located inside its stores could be affected. And while the company noted that not every store has a tap room or in-store restaurant, there are a significant number of them spread across the country: As of November, 180 of Whole Foods' 464 stores had bars or taprooms, according to The Mercury News.
Whole Foods has said that upon learning of the breach it obtained the help of a leading cybersecurity forensics firm and further notified law enforcement; but whether that happened days, weeks, or months ago, the company did not specify. All it has said is that the investigation is "ongoing" and that it will "provide additional updates as it learns more."
Hopefully, that's sooner than later.
Kate Conger contributed reporting to this story.