Full Report
The food distributor and wholesaler completely shut down its systems upon discovering the attack last month, yet core systems were restored and normal operating capacity returned within three weeks. The post United Natural Foods loses up to $400M in sales after cyberattack appeared first on CyberScoop.
Analysis Summary
# Incident Report: UNFI Cyberattack Leading to Significant Sales Disruption
## Executive Summary
United Natural Foods (UNFI), a major food distributor, suffered a significant cyberattack that forced a complete shutdown of its systems. The incident, discovered in early June 2025, caused over four weeks of severe operational disruption, leading to up to $400 million in lost sales, primarily impacting the supply chain for customers like Whole Foods Market. UNFI successfully restored core systems within three weeks, minimizing net income loss through insurance coverage for direct remediation costs.
## Incident Details
- **Discovery Date:** June 5, 2025
- **Incident Date:** On or shortly before June 5, 2025 (when systems were shut down)
- **Affected Organization:** United Natural Foods, Inc. (UNFI)
- **Sector:** Food Distribution/Wholesale
- **Geography:** North America
## Timeline of Events
### Initial Access
- **Date/Time:** Occurred prior to June 5, 2025.
- **Vector:** Not explicitly stated in the provided text, but attributed to an ongoing attack spree linked to the financially motivated group Scattered Spider.
- **Details:** Attackers compromised systems, leading to the company shutting down its entire network on or around June 5th.
### Lateral Movement
- **Details:** Not explicitly detailed, but necessary to cause widespread operational failure across 52 distribution centers, leading to an inability to fulfill orders.
### Data Exfiltration/Impact
- **Details:** The primary impact was operational shutdown, resulting in lost sales of up to $400 million and an estimated $60 million net income loss. UNFI was unable to fulfill orders, causing empty shelves at retailer locations (e.g., Whole Foods) and inventory spoilage. No mention of data exfiltration or a ransom demand was made.
### Detection & Response
- **Discovery:** Discovered by UNFI on June 5, 2025, and publicly disclosed four days later.
- **Response actions taken:** The company completely shut down its systems to contain the incident. They engaged third-party cybersecurity, legal, and governance experts for assistance. By the week of the report (mid-July 2025), 95% of operational capacity had been restored.
## Attack Methodology
- **Initial Access:** Unknown (attributed generally to Scattered Spider activity).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Implied widespread movement to disable core distribution functionality.
- **Collection:** Not specified (focus was on operational disruption).
- **Exfiltration:** No evidence of data exfiltration mentioned.
- **Impact:** Operational disruption through system shutdown, leading to severe supply chain failure (inability to ship products).
## Impact Assessment
- **Financial:** Up to **$400 million in lost sales**. Estimated **$60 million net income loss** (largely contained to one fiscal quarter ending in early August). Direct costs of $20 million (manual workarounds) and $5 million (remediation/experts).
- **Data Breach:** None specified or confirmed.
- **Operational:** Complete shutdown of the network required for operations across 52 distribution centers, disrupting fulfillment to 30,000 customer locations. Normal operating capacity was restored within three weeks.
- **Reputational:** Negative attention due to resulting empty shelves at major retailers relying on UNFI's distribution.
## Indicators of Compromise
- *No specific technical IOCs (IPs, domains, file hashes) were available in the description.*
- **Behavioral indicators:** Widespread system shutdown initiated by the organization to halt the attack progression.
## Response Actions
- **Containment measures:** Immediate and complete shutdown of IT systems network-wide.
- **Eradication steps:** Incurred remediation costs, presumably including internal and third-party identification and removal of malicious elements.
- **Recovery actions:** Restored commercial operating capacity to normalized levels within three weeks, focusing heavily on restoring outbound fill rates and on-time deliveries.
## Lessons Learned
- The critical nature of food distribution infrastructure makes it a high-value target, as disruption causes immediate consumer and industry impact.
- Reliance on manual workarounds during outages is costly ($20 million incurred).
- Cyber insurance proved vital for offsetting remediation costs, though reimbursement is expected in the following fiscal year.
## Recommendations
- Enhance initial access defenses, particularly against threat actors like Scattered Spider known for social engineering tactics.
- Develop and vigorously test robust, isolated failover and manual operating procedures to minimize direct costs incurred during prolonged network outages.
- Implement segmented network architectures to prevent single points of failure from completely halting core distribution operations.