Cybersecurity in food

Sysco, the US-based foodservice distributor, has admitted a cyber attack in January captured customer and employee data. 

In an SEC filing lodged on 2 May, the company provided a statement on a breach that occurred in January – of which the company “became aware” weeks later. 

According to Sysco, “a cybersecurity event perpetrated by a threat actor” started, it believed, on 14 January. It was on 5 March the group first knew of the incident, the company said. 

“Immediately upon detection, Sysco initiated an investigation, with the assistance of cybersecurity and forensics professionals. The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data,” the company said in the SEC filing. 

“This data extraction has not impacted Sysco’s operational systems and related business functions – and its service to customers continued uninterrupted. Sysco also notified federal law enforcement. The investigation is ongoing, and Sysco has begun the process of preparing to comply with its obligations with respect to the extracted data.” 

A filing with the Office of the Maine Attorney General said the breach affected 126,643 individuals. They had their name “or other personal identifier”, as well as their social security number, exposed. 

On 18 May, Bloomberg reported the company is facing two planned federal class-action lawsuits over the breach. 

In Sysco’s last full financial year, which ran to 2 July 2022, the company generated sales of $68.6bn, up almost 37% on a year earlier.

A ransomware attack on Dole gave hackers access to employee data, the fruit-and-veg giant has confirmed. 

Dole said the breach, which occurred in February, had a “limited” impact on operations but revealed hackers gained “unauthorised access to employee information”. 

The California-headquartered company said it employs around 20,000 full-time staff and 7,000 full-time seasonal or temporary employees worldwide. 

Earlier this month, CEO Rory Byrne told analysts the attack was particularly disruptive to its fresh fruit and vegetables division and Chile division. “More positively, we moved quickly to contain the threat and engaged leading third-party cybersecurity experts and we will be working in partnership with their internal teams to remediate the issue and secure systems,” he added. 

In a US Securities and Exchange Commission (SEC) filing yesterday (23 March) Dole said: “In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorised access to employee information. 

“Upon detecting the attack, we promptly took steps to contain the attack, retained the services of leading third-party cybersecurity experts and notified law enforcement. The February 2023 attack had a limited impact on our operations.” 

It follows a similar attack on Canada-based meat-processing group Maple Leaf Foods last year, which the company described as a “comprehensive” breach. 

2022 also saw Apetito, the Germany-based frozen-food supplier, reveal a cyberattack on its operations, while UK-based KP Snacks said it too had been affected by ransomware.