Whole Foods hit by credit card hack at several stores

If you ate or drank at Whole Foods recently, you might want to keep a close eye on your credit card transactions.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
2 min read
Whole Foods Market.

A Whole Foods Market in California.

David Peevers / Getty Images

Shopping at Whole Foods might have cost customers more than just overpriced avocados.

The popular grocery chain, which Amazon bought for $13.7 billion in June, warned customers Thursday that thieves stole payment card information at several of its stores. The cyberattack hit Whole Foods' taprooms and restaurants, not stores' primary checkout lines, the company said. 

These in-store taprooms and restaurants use a different payments system than the regular Whole Foods checkout. The hack didn't spread to Amazon's payment servers because they're not connected to Whole Foods' stores, the company said.

Point-of-sales attacks often target popular chains. Fast food joints like Chipotle and Wendy's have been hit in the past, with hackers stealing customer credit card information. Cybercriminals often look for easy targets to make quick cash, and restaurants have shown they're simple to hack.

Whole Foods has 449 stores in the US and more than 40 sell beer on tap. It's unclear how many restaurants Whole Foods has.

Watch this: How Amazon tech can be tied into Whole Foods

"While most Whole Foods Market stores do not have these taprooms and restaurants, Whole Foods Market encourages its customers to closely monitor their payment card statements and report any unauthorized charges to the issuing bank," the company said in a statement.

Whole Foods declined to comment on how many people are affected and which stores were hacked.

The grocery chain said it's working with a cybersecurity forensics firm and law enforcement to investigate who is behind the attack.  

First published Sept. 29, 6:25 a.m. PT.
Update at 8:14 a.m. PT: With Whole Foods declining to comment.

It's Complicated: This is dating in the age of apps. Having fun yet?

Tech EnabledCNET chronicles tech's role in providing new kinds of accessibility.