Breach taxonomy
Summary
On June 5, 2025, United Natural Foods, Inc. (UNFI) discovered unauthorized activity on certain IT systems and proactively took certain systems offline, temporarily disrupting its ability to fulfill and distribute customer orders. The incident did not involve a breach of personal or protected health information, and core ordering and invoicing systems were subsequently restored. UNFI experienced reduced sales volumes and increased operational costs in the weeks following the incident, with management assessing the impact as likely material to Q4 FY2025 net income and adjusted EBITDA. The company holds cybersecurity insurance expected to be adequate for the incident.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor category -> UNKNOWN.
MethodsSystem Outage
Filing describes unauthorized activity requiring proactive system takedowns that disrupted fulfillment operations; no ransomware, data exfiltration, or specific attack vector is described -> SYSTEM-OUTAGE.
AssetsRevenue ProcessThird Party Process
Unauthorized activity disrupted the company's ability to fulfill and distribute customer orders (revenue-generating process) and impacted electronic ordering and invoicing systems used by customers and suppliers (third-party revenue processes) -> REVENUE-PROCESS and THIRD-PARTY-PROCESS.
EffectsBiz Interruption
Filing states the incident temporarily impacted the Company's ability to fulfill and distribute customer orders, resulting in reduced sales volume and increased operational costs, with expected material impact on Q4 FY2025 financial results -> BIZ-INTERRUPTION.
Business continuityPartial
Filing states the Company activated its incident response plan and implemented containment measures, but experienced reduced sales and increased operational costs in subsequent weeks before core systems were fully restored -> Partial.
Impact
Unauthorized access disrupted a major food distributor's core fulfillment and ordering systems; management assessed the incident as likely material to Q4 FY2025 net income and adjusted EBITDA, suggesting $10M-$50M financial impact range -> score 3.
InsuranceYes
Filing states 'The Company holds cybersecurity insurance that it currently expects will be adequate for the incident' -> true.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incident. As previously disclosed in a Current Report on Form 8-K filed with the Securities and Exchange Commission ("SEC") on June 9, 2025 (the "Prior 8-K"), on June 5, 2025, United Natural Foods, Inc. (the "Company") became aware of unauthorized activity on certain information technology (IT) systems. As disclosed in the Prior 8-K, the Company promptly activated its incident response plan and implemented containment measures, including proactively taking certain systems offline, which temporarily impacted the Company's ability to fulfill and distribute customer orders. At this time, the Company does not anticipate sending any notifications to individual consumers as a result of this incident because it did not involve a breach of security of personal information or protected health information, as those terms are defined at law. The unauthorized activity has since been contained and the Company is now regularly receiving and shipping products to retailers across its distribution network. Importantly, the Company has safely restored the core systems that its customers and suppliers use for electronic ordering and invoicing, which has enabled business operations to normalize. Throughout this process, the Company focused on proactively and transparently engaging with its customers and suppliers to support their unique business needs. The Company has continued to closely monitor the effect of the incident on its business, financial condition, and results of operations. In the weeks following the incident, the Company experienced reduced sales volume and increased operational costs as the Company worked to drive solutions-oriented results for its customers. The Company has also incurred, and expects to continue to incur, direct expenses related to the investigation and remediation of the incident. Based on the information currently available to the Company, management believes that the incident is reasonably likely to have a material impact on the Company's net income/(loss) and adjusted EBITDA for the fourth fiscal quarter of 2025 compared to its internal projections prior to the incident. The Company holds cybersecurity insurance that it currently expects will be adequate for the incident, and expects that the full claim and settlement process will extend into its 2026 fiscal year.