Amazon’s Whole Foods distributor, United Natural Foods Inc. (UNFI), suffered a cyber attack that forced the company to shut down some IT systems, disrupting operations, including ordering and distribution.
Rhode Island-based UNFI distributes fresh and frozen food items to over 30,000 locations across the United States and Canada from its 53 major distribution centers. It boasts of being the largest full-service grocery partner, serving numerous high-profile clients, including Amazon’s Whole Foods.
According to its regulatory filing with the U.S. Securities and Exchange Commission (SEC), the food distributor learned of the cyber attack on June 5, 2025, after detecting unauthorized activity on some of its systems.
UNFI said it responded by activating its incident response plan and implementing containment measures, “including proactively taking certain systems offline,” temporarily affecting the order fulfilment and distribution processes.
“Our frozen cooler is empty, our bread hearth is bare and customers are increasingly upset,” one Arkansas barista, speaking on the condition of anonymity, told CNN. “We’ve spent time deep-cleaning our freezers – an unusual task – simply because our normally overstocked freezers are now completely bare.”
Cyber attack on Whole Foods distributor to cause ongoing disruptions
United Natural Foods anticipates that the cyber attack will continue to disrupt its operations, suggesting that ransomware was involved.
“The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” the Amazon’s Whole Foods partner disclosed.
However, the company has not disclosed the nature of the cyber attack, and no ransomware gang has taken responsibility. Cybercriminals and their victims remain tight-lipped when negotiations are still possible or under consideration.
“Initial reports from United Natural Foods (UNFI) suggested that they had isolated the compromised systems, but they soon followed up with a statement that the entire network was shut down,” said Venky Raju, Field CTO at ColorTokens. “This suggests that the malware moved more quickly through their network than their attempts to contain the spread. With its entire network shut down, UNFI customers have been unable to submit orders and have them fulfilled, resulting in significant business losses for all parties.”
The FBI discourages paying a ransom to avoid incentivizing cybercriminals. Additionally, the chances of recovering stolen data or guaranteeing that the threat actors would not sell, exploit, or demand another ransom are relatively slim. However, companies are advised to consider the impacts of the cyber attack on their stakeholders and victims before deciding on whether to pay the ransom.
It remains unclear whether the whole foods supplier has received a ransom demand or if it was willing to pay to prevent the potential leak of stolen data. Information on whether its computer systems were locked remains unreported.
“Operations such as this often work on a very tight timeline, so the pressure can be high to get systems up and running as soon as possible,” said Erich Kron, Security Awareness Advocate at KnowBe4. “This is what attackers hope for as they dangle the idea in front of the victims that paying the ransom will get organizations back online quickly.”
Meanwhile, the whole foods giant has notified relevant law enforcement and regulatory authorities. It also hired third-party cyber forensic experts to investigate the incident to determine its nature and scope. The company is also implementing business continuity measures and workarounds to limit the disruptions.
“The Company is continuing to work to restore its systems to safely bring them back online,” it stated.
So far, remains unclear if the threat actors exfiltrated the whole foods giant’s customer data and the nature of potentially stolen information.
Recent cyber attacks targeting UK retailers
The whole foods supplier’s cyber attack comes hot on the heels of numerous cybersecurity incidents targeting UK retailers, Marks & Spencer, Harrods, and the Co-op.
“This recent attack further compounds the challenges faced by the already struggling retail industry, adding yet another disruption,” noted Aditi Gupta, Senior Manager, Professional Services Consulting at Black Duck. “Supply chain attacks have surged by a staggering 431% from 2021 to 2023 and continue to rise in 2025. The digitization of critical functions such as inventory management and order processing are essential for the retail industry, and these attacks serve as a true test of their business continuity capabilities.”
The attacks were attributed to the prolific ransomware gang Scattered Spider, also known as UNC3944, 0ktapus, Starfraud, Scatter Swine, Octo Tempest, and Muddled Libra, which has so far claimed hundreds of victims since its inception. The gang partnered with the ALPHV/BlackCat ransomware gang to execute one of the most historic cyberattacks, compromising MGM Resorts.
German luxury retailer Adidas also suffered a cyber attack bearing the telltale signs of the ongoing hacking campaign targeting renowned brands. Google had recently warned that the threat actors behind the cyberattacks on U.K. retailers were also targeting U.S. companies.
