Whole Foods data breach affected about 100 taprooms, restaurants

Whole Foods Market said Friday that a data breach involving credit-card charges made at the grocer's taprooms and full-service restaurants affected about 100 venues in its stores over a six-month period.

The company said the hack lasted from March 10 until Sept. 28 and included bars and restaurants in 30 states, including California, Florida, Pennsylvania and Virginia. Big cities including New York City, Chicago, Washington, D.C., were among those targeted.

Whole Foods, which operates 473 stores, is among a number of food retailers who have faced data breaches, including Sonic Corp. last month and Wendy's Co. in 2016.

The Whole Foods' hack potentially included the copying of cardholder names, account numbers and verification codes. It didn't impact transactions at its grocery stores, only in-store bars and restaurants, the company said.

The breach also didn't affect orders made through Amazon.com Inc., the e-commerce giant that took over the grocer in August, Whole Foods said.

The company hired a cybersecurity firm to assess the hack and conduct an investigation. It has replaced the sales systems at the affected locations and stopped the unauthorized activity, the Austin-based company said.

"Whole Foods Market has been working closely with the payment card companies," it said in a statement.

It first disclosed the breach last month.

Write to Heather Haddon at heather.haddon@wsj.com