Cyberattack on grocery supplier reveals fragility of U.S. and Minnesota’s food supply

Hackers infiltrated one grocery distributor, and within days, there were bare shelves at stores in the Twin Cities and across the country and even some pharmacies unable to fill prescriptions.

What sounds like the beginning of a novel played out earlier this month as major wholesale distributor UNFI dealt with a cyberattack. What the episode revealed is that the nation’s highly consolidated food supply is in need of stout digital defenses.

“It pretty much exposes the fragility of our whole grocery system,” said Gregory Esslinger, a distribution expert, brand advisor and former UNFI manager. “It’s a national security issue, honestly.”

UNFI has about $31 billion in revenue and supplies 30,000 stores nationwide, including many in the Twin Cities. It also owns Stillwater-based Cub. The Midwest chain was part of UNFI’s 2018 acquisition of SuperValu, which is why Minnesota is particularly at risk.

“It’s been years, but they’re still gradually integrating the SuperValu systems,” Esslinger said of UNFI. “When you integrate systems, you potentially open doors to issues like this.”

Operations at the country’s largest publicly traded grocery wholesaler have edged back to normal after UNFI detected the attack June 5 and shut down its ordering systems. But preventing or better responding to the next hack will be the greater test.

“If it happens again, that would be the end of them,” Esslinger said. “The confidence would be shattered.”

“If you’re in the industry, this a great opportunity to take this to the board, ask for the budget, ask for what you need to mitigate the risks,” said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. “You know the phrase, ‘Don’t let a good crisis go to waste.’ I hate to say that, but you can take incidents like this and quantify it.”

Steinhauer and others believe the attack on UNFI likely involved ransomware. Typically, that means a hacker has been able to access and lock up key systems, promising to free them only after the target pays ransom.

“It does have all the telltale signs of a ransomware attack because the apparent effects are so widespread,” said Adam Marrè, chief information security officer at Eden Prairie-based Arctic Wolf.

The company has released few details. UNFI has declined to answer questions about the nature of the attack “as the investigation is ongoing.”

“We’ve made significant progress toward safely restoring our electronic ordering systems,” the company said.

Beyond the threat of Americans being unable to access food, attacks like these are devastating to the company. Every moment of downtime in the logistics business is costly. Guggenheim analysts took down their quarterly sales estimate for UNFI by $250 million, a projected 3% hit to the top line. UBS analyst Mark Carden wrote that the impact could last much longer.

“We do see some risk to customer retention,” Carden wrote. “We expect disruption to UNFI’s [revenue] to persist over the next few quarters.”

It’s that kind of damage that makes grocery distributors and other key links in the supply chain such attractive targets for hackers.

“Ransomware actors target industries more likely to pay than not pay,” Marrè said. “It appears they chose not to pay the ransom, which we recommend and so does law enforcement, but we also understand the business and life-saving realities surrounding that decision.”

The UNFI attack follows other critical infrastructure hacks like Colonial Pipeline in 2021. Other companies should take precautions and practice response plans, Marrè said.

Esslinger said a number of factors might have contributed to the UNFI cyberattack and resulting shutdown, which stalled deliveries and, in some warehouses, saw employees go back to taking orders on pen and paper.

“It’s some lack of foresight or planning,” he said. “The other train of thought is they recently laid off a number of people and outsourced some roles. Did that open the door?”

UNFI did not answer a question about its IT staffing. The company headquarters is in Rhode Island, but a number of its tech staffers work in the Twin Cities, according to LinkedIn profiles.