Not just tech: Stop & Shop hack shows cybersecurity matters everywhere

“Cybersecurity is always so easy to almost glamorize or abstract from our day-to-day,” said Brittany Greenfield, the founder and CEO of Boston-based cybersecurity startup Wabbi. “But, this particular breach really shows that cybersecurity is a dinner table issue, quite literally.”

WBUR is a nonprofit news organization. Our coverage relies on your financial support. If you value articles like the one you’re reading right now, give today.

The attack left Quincy-based Stop & Shop — New England’s largest supermarket chain with nearly 400 stores — short of fresh produce, dairy and other products just ahead of the Thanksgiving holiday, when families and friends often prepare to gather for meals. Meanwhile, Hannaford Supermarkets were unable to process online orders for over a week because its website and mobile app were down due to the same issue.

Hannaford’s website and app have since come back online. Stop & Shop said it’s working to restock its stores and is equipped with items for Thanksgiving meals.

“Stop & Shop is well stocked with turkeys and hams for the upcoming Thanksgiving holiday, along with staples like potatoes, gravy, and stuffing,” Stop & Shop spokeswoman Caroline Medeiros said in a statement Wednesday. “Customers may see limited availability for some fresh items in certain store locations, however we’re working to restock those items and expect continuous improvement in all impacted stores in advance of the weekend.”

Shelves and bins were empty in the produce department at Stop & Shop in Somerville earlier this week, due to what the store claims is a systems issue which is impacting shipments of certain products. (Jesse Costa/WBUR)

Ahold Delhaize, a Dutch multi-national food and e-commerce retailer that operates 16 supermarket brands — including Stop & Shop and Hannaford — said it immediately began an investigation and contacted law enforcement as soon as it detected the attack.

The company has not yet said who or what was behind the cyberattack on its U.S. network, but some experts speculate it was likely a ransomware attack, where the hacker tricks a company into installing malware and then demands payment to restore the system.

Such attacks can begin when someone clicks on a corrupt link in an email or faulty web link — “and that leads to a ‘payload’ — a software program being installed — and then allowed to spread from there,” said Michael Joseph, cofounder and CEO of Technium, a cybersecurity company based in Marlborough.

Another possibility is malware spread through the grocery companies’ networks due to a lack of maintenance of software programs or connected devices, Joseph added.

“… this particular breach really shows that cybersecurity is a dinner table issue, quite literally.”

Brittany Greenfield

Ahold Delhaize has invested heavily in its e-commerce platform and in artificial intelligence. It began moving to a self-distribution model in 2019 with a $480 million investment to expand and upgrade its supply chain operations in the US, including acquiring distribution centers and building new fully automated facilities. The company said the changes would reduce costs, and speed up and improve product availability and freshness.

Experts say cyberattacks like Stop & Shop experienced happen “all the time” to all sorts of businesses and organizations — like hospitals, banks, municipalities, government offices and airports.

Moments like this can be a good reminder to beef up cybersecurity health, Greenfield said. It’s important for businesses — both small and large — to build strong cyber resilience.

“It’s not if you get breached, it’s when you get breached,” she said.

For instance, larger companies can use multiple servers, install multi-factor authentication for passwords and implement compliance standards within their organizations, Greenfield said.

And when a breach does happen, businesses should have a strategy to mitigate the issue, Greenfield said. In this case, Ahold Delhaize took some of its systems offline after the attack.

Joseph said businesses should adopt a “zero trust” mindset when it comes to cybersecurity, and employ active monitoring, security awareness training for staff and access to security experts.

This added investment in security is necessary, Joseph said, especially as artificial intelligence and new technology is used more frequently in supply chain businesses. While such tools help make things more efficient, they can also create more potential risks.

Vigilance is key, Joseph said.

“The thing about security is you can’t do it once,” he said. ” You have to do it as a service, as a program with regularity because the attacks are always changing … So if a business thinks, ‘we’ve done a great job with security, high five’ — they’re not done. You’re never done.”