Cyberattack on grocery supplier reveals fragility of U.S. and Minnesota’s food supply

Hackers infiltrated one grocery distributor, and within days, there were bare shelves at stores in the Twin Cities and around the country and even some pharmacies unable to fill prescriptions.

That’s not the beginning of some thriller novel. It’s the real events that played out earlier this month as major wholesale distributor UNFI dealt with a cyberattack. But the moral of the story is already clear: The nation’s highly consolidated food supply is in need of stout digital defenses to protect it.

“It pretty much exposes the fragility of our whole grocery system,” said Gregory Esslinger, a distribution expert, brand advisor and former UNFI manager. “It’s a national security issue, honestly.”

UNFI has about $31 billion in revenue and supplies 30,000 stores nationwide, including many in the Twin Cities. It also owns Stillwater-based Cub. The Midwest chain was part of UNFI’s 2018 acquisition of SuperValu, which also explains why Minnesota is particularly at risk.

“It’s been years, but they’re still gradually integrating the SuperValu systems,” Esslinger said of UNFI. “When you integrate systems, you potentially open doors to issues like this.”

While operations at the country’s largest publicly traded grocery wholesaler have edged back to normal after UNFI detected the attack June 5 and shut down its ordering systems, preventing and better responding to the next hack will be the greater test.

“If it happens again, that would be the end of them,” Esslinger said. “The confidence would be shattered.”

Having a handful of big suppliers like UNFI distribute the majority of the nation’s groceries can help keep the price of food down, but it carries enormous risk when something goes wrong. Every part of the supply chain should take note of what happened and revisit their security plans, experts said.

“If you’re in the industry, this a great opportunity to take this to the board, ask for the budget, ask for what you need to mitigate the risks,” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. “You know the phrase, ‘Don’t let a good crisis go to waste.’ I hate to say that, but you can take incidents like this and quantify it.”

Steinhauer and others believe the attack on UNFI was likely ransomware. Typically, that means a hacker has been able to access and lock up key systems, promising to free them only after the target pays a ransom.

“It does have all the telltale signs of a ransomware attack because the apparent effects are so widespread,” said Adam Marrè, the chief information security officer at Eden Prairie-based Arctic Wolf.

But the company has released few details. UNFI on Wednesday declined to answer questions about the nature of the attack “as the investigation is ongoing.”

“We’ve made significant progress toward safely restoring our electronic ordering systems,” the company said in a statement.

UNFI distribution centers are again taking orders and making deliveries as of Sunday. The short-lived disruption at Cub pharmacies also ended last week.

Beyond the threat of Americans being unable to access food, attacks like these are also devastating to the company. Every moment of downtime in the logistics business is financially costly. Guggenheim analysts took down their quarterly sales estimate for UNFI by $250 million, a projected 3% hit to the wholesaler’s top line. UBS analyst Mark Carden wrote the impact could last much longer.

“We do see some risk to customer retention,” Carden wrote. “We expect disruption to UNFI’s [revenue] to persist over the next few quarters.”

It’s that kind of damage that makes grocery distributors and other key links in the supply chain such attractive victims for hackers.

“Ransomware actors target industries more likely to pay than not pay,” Marrè said. “It appears they chose not to pay the ransom, which we recommend and so does law enforcement, but we also understand the business and life-saving realities surrounding that decision.”

The UNFI attack follows other critical infrastructure hacks like Colonial Pipeline in 2021. Any other companies those spooked should take precautions and practice response plans, Marrè said.

“Prevention is great,” he said. “But at the end of the day, the ability to detect and respond to an incident is a must. There needs to be backup plans and alternates in your supply chain.”

Esslinger said a number of factors might have contributed to the UNFI cyberattack and resulting shutdown, which stalled deliveries and, in some warehouses, saw employees taking orders on pen and paper.

“It’s some lack of foresight or planning,” he said. “The other train of thought is they recently laid off a number of people and outsourced some roles. Did that open the door?”

UNFI did not answer a question about their IT staffing. While the company headquarters in Rhode Island, a number of its tech staffers work in the Twin Cities, according to LinkedIn profiles.

“UNFI regularly evaluates and adopts new tools and technologies as appropriate to strengthen our information security program to address evolving threats,” the company said in a statement, “and we are continually taking steps to further enhance the security of our systems.”