If the whole Equifax debacle changes anything at all, it should be the public perception of what a responsible disclosure looks like in the wake of a devastating data breach.
That's a lesson that, incredibly, Whole Foods seems determined to ignore.
It's been 12 days since Whole Foods first disclosed that its point-of-sale systems were compromised, leaving an untold number of credit card holders at risk. The following day, Gizmodo reported that as many as 117 venues may have been impacted. At the same time, the company, which was recently acquired by Amazon, set up a website that allows the public to see which stores are involved. But since then, the company has gone dark.
To date, Whole Foods' initial statement on September 28 represents the entirety of its public disclosure. In an email to Gizmodo today, the company again declined to say when the company first discovered the breach. Did it wait days, weeks or months to notify the public? That is information Whole Foods has readily on hand and is refusing to divulge. The supermarket chain has further refused to say whether any potentially compromised customers have been contacted individually.
In many ways, Whole Foods is offering the public even less information than Equifax did in the days following its data breach announcement, which Equifax is universally recognised for having totally borked.
For the most part, the company has limited its disclosure to information that downplays the potential impact of the breach. It will say, for instance, that checkout systems in the grocery sections of the stores were not impacted. It is also careful to emphasise that "about 117 venues" does not equal 117 stores; the breach, Whole Foods says, only affected customers of in-store taprooms and restaurants, and some stores contain both. It was quick to note that the breach did not involve any of Amazon's systems.
From that, we know Whole Foods has determined at least which systems were breached. The question is now whether the company is even aware of how long its systems were infiltrated — if that is indeed the case. If it had that information, it should be easily to calculate how many of its customers may be impacted overall.
Nearly two weeks ago, Whole Foods announced that it had enlisted the help of a leading cyber security forensics firm. One would expect by now that investigators would have a rough idea of when the breach occurred. If so, Whole Foods is simply withhold the grisly details from the public. There's no way to know, of course, because the company declines to address any questions about the breach's reach or its genesis.
Whole Foods did say that it was cooperating with law enforcement as part of an ongoing investigation. Presumably, this means the FBI is involved; the bureau has declined to confirm or deny its involvement, however, citing an official policy that on occasion it ignores.
Remaining quiet about the breach is an effective PR strategy: The incident has all but disappeared from the news, save a handful of local reports noting that neighbourhood stores were involved. But there's a wealth of essential details missing — questions likely to be raised by frustrated readers, which reporters cannot answer, thanks to Whole Foods' silence: How many people were affected by this breach? And what should they do about it?
The website set up by Whole Foods does not include any instructions whatsoever for consumers who recently visited one of the affected venues. If you think your credit card might've been compromised, there's no number to call, no form to fill out; the page doesn't even recommend that customers contact their banks about fraud-prevention measures.
At best, Whole Foods' effort to assist its customers in the wake of this breach appears lazy — at worst, it invites accusations of negligence. More than a week ago, Rep Diana DeGette told Gizmodo that Whole Foods needed to "tell the whole truth about this incident, and soon". So far, that hasn't come to pass.
"Data exposures are capable of affecting a larger number of people and businesses than ever before," Mike Baukes, co-CEO of the cyber resiliency firm UpGuard, told Gizmodo. "With such incidents occurring at an epidemic-scale, it is clear that practices surrounding incident response and public disclosure need to change. Enterprises must handle any internal data with the utmost care; should those standards fail to maintain data integrity, affected customers and partners must be informed quickly to allow them to ascertain if their information was compromised."
In the aftermath of a data breach, what a company won't say is just as important as the information it's willing to divulge. "A truly cyber resilient organisation understands that rapid response and remediation is essential in surviving in a digital world," Baukes added.
Cybersecurity researcher Troy Hunt, who runs the data breach notification service Have I Been Pwned?, told Gizmodo that Whole Foods' refusal to disclose when it had learned of the breach was "woeful", "disappointing", and did little to restore trust in the company.
"There are certainly aspects of a breach a company may quite rightly not disclose (for example anything that might hamper an ongoing investigation such as whether they have identified the attacker), but refusing to state when the incident happened or if people have been contacted seems deliberately deceitful," he said. "I can't think of any good reason to take that position."
Earlier today, Hunt publicly praised the comment service Disqus for acting swiftly to mitigate a data breach disclosed late last week. The company began contacting users and resetting their passwords less than 24 hours after Hunt's notification.
An Amazon spokesperson did not immediately respond to a request for comment.