Nationwide pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.
“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” CVS said in a statement that replaced the photo Web site’s normal homepage content. “As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com and our pharmacies. Financial transactions on CVS.com and in-store are not affected.”
Last week, Walmart Canada warned it was investigating a similar breach of its online photo Web site, which the company said was operated by a third party. The Globe and Mail reported that the third-party in the Walmart Canada breach is a company called PNI Digital Media.
According to PNI’s investor relations page, PNI provides a “provides a proprietary transactional software platform” that is used by retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year.”
“Our digital logistics connect your website, in-store kiosks, and mobile presences with neighbourhood storefronts, maximizing style, price, and convenience. Last year the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products.”
Update: 11:35 a.m. ET: The above-cited text from PNI’s Investor Relations page was removed shortly after this story went live; A screenshot of it is available here). Someone also edited PNI’s Wikipedia page to remove client information.
Original story: Neither CVS nor PNI could be immediately reached for comment. Costco’s online photo store — costcophotocenter.com, does not appear to include any messaging about a possible breach.
Interestingly, PNI Digital Media was acquired a year ago by office supply chain Staples. As first reported by this site in October 2014, Staples suffered its own card breach, a six-month intrusion that allowed thieves to steal more than a million customer card accounts.
Update, 11:33 p.m. ET: According to a review of customer data previously listed by PNI, we could be seeing similar actions from Sams Club, Walgreens, Rite Aid and Tesco, to name a few.
Costo, which also was listed as a customer of PNI, just took its photo site offline as well, adding the following message:
“As a result of recent reports suggesting that there may have been a security compromise of the third party vendor who hosts Costcophotocenter.com we are temporarily suspending access to the site. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers.”
Tesco’s photo site — tescophoto.com — currently says it is “down for maintenance.” Rite Aid’s photo site also carries a notice saying it was notified by PNI Digital Media of a possible breach:
“We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data. The data that may have been affected is name, address, phone number, email address, photo account password and credit card information. Unlike for other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information. At this time, we have no reports from our customers of their credit card or other information being affected by this issue. While we investigate this issue, as a precaution we have temporarily shut down access to online and mobile photo services.”
No other online or mobile transactions are affected. This issue is limited to online and mobile photo transactions involving PNI. RiteAid.com, Rite Aid Online Store, My Pharmacy, wellness+ with Plenti, and in-store systems are not affected.”
Source: Krebs