- Vulnerable U
- Posts
- UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
June 2025 breach forces UNFI to take critical systems offline, triggering order backlogs, an FBI investigation, and scrutiny of critical infrastructure.
Newsroom
June 12, 2025
tl;dr - United Natural Foods, Inc. (UNFI), the primary distributor for Whole Foods Market and thousands of independent grocers, took critical systems offline after discovering a cyber-intrusion on June 5 2025. The outage is still limiting order fulfillment a week later, and Whole Foods is warning staff to expect product shortages. UNFI has notified law-enforcement, hired incident-response specialists, and filed an 8-K with the SEC acknowledging “temporary disruptions” to operations.
what happened
June 5, 2025 – UNFI “became aware of unauthorized activity on certain IT systems” and immediately activated its incident-response plan, taking portions of the network offline. (sec.gov)
June 9, 2025 – The company released a short public systems-update statement and contacted FBI cyber units. (ir.unfi.com)
June 10, 2025 – Whole Foods leadership notified team members that product availability will fluctuate while UNFI works through a constrained shipping schedule. (Whole Foods has not posted a public statement, but employees confirmed the guidance to multiple media outlets.) (ksl.com)
why this matters
single-point-of-failure risk
UNFI is the largest publicly traded grocery wholesaler in North America, serving 30,000+ locations and reporting FY-2024 net sales of $31 billion. A 2024 10-K shows one wholesale customer (Whole Foods) accounts for >10 % of net sales, underscoring outsized dependence.whole foods’ shelves already thinning
Store employees in multiple states are reporting empty freezers, bread racks, and delayed online-order deliveries. While Amazon-owned Whole Foods operates regional distribution centers, most center-store and specialty items flow through UNFI.investor exposure
UNFI’s stock fell nearly 9 % intraday on June 10 as trading algorithms reacted to the 8-K language that disruptions are “expected to continue.”regulatory pressure
Because UNFI supports hospital cafeterias, school lunch programs, and SNAP retailers, prolonged downtime could trigger DHS CISA scrutiny under Section 888 of the FY-2024 NDAA, which designates “Food & Agriculture” as critical infrastructure.
what we know so far
topic | details |
|---|---|
malware type | UNFI has not confirmed ransomware, but the decision to disable systems suggests fear of lateral movement and data exfiltration. |
affected systems | Order-management, warehouse robotics, and some transportation scheduling platforms are offline. Manual picking & paper bills of lading are in use at key DCs, according to staff. |
customer impact | UNFI is “shipping on a limited basis,” prioritizing perishable items. Whole Foods’ internal note pegs recovery at “several days.” |
data at risk | No evidence yet of stolen PII or supplier banking data; investigation is ongoing. |
industry context
Grocery and CPG supply chains have become prime ransomware targets:
Clorox (2023) six-week disruption cost $356 M in lost sales and remediation.
Sysco (2024) internal data leak exposed restaurant purchasing histories.
JBS Foods (2021) paid an $11 M ransom to resume meat-packing operations.
Attacking a tier-one distributor like UNFI magnifies downstream pain because one compromise ripples across thousands of retailers.
security takeaway
Vendor-risk basics still apply:
require SOC 2 or ISO 27001 attestation from critical suppliers;
keep 30-day safety stock or multi-sourcing where margins allow;
run tabletop exercises that assume your distributor goes dark for a week.
For defenders: watch for spoofed “urgent UNFI invoice” phishing lures; threat actors routinely capitalize on headline breaches.
what’s next
UNFI’s morning investor call (8:30 a.m. ET, June 10) promised daily status updates to major customers. Expect a fuller breach disclosure within 96 hours if data theft is confirmed. Whole Foods teams have begun rerouting select SKUs through alternative distributors but say the substitution list is “short and temporary.”
further reading
connectwise breach – screenconnect hit by nation-state hackers - lessons for managing upstream software suppliers.
vegas casinos hacked: mgm & caesars timeline - how a single service outage cascaded into nine-figure losses.