CVS, Costco and Walmart Canada are among a half-dozen major retailers investigating a data breach at Canadian vendor PNI Digital Media and are temporarily shutting down their online photo processing websites.
Among the others are Sam's Club, Rite Aid and British supermarket chain Tesco, Reuters reported. PNI Digital Media was bought by Staples last year. While this may not be the biggest data breach, it certainly includes the most major retail brands.
"We take the protection of information very seriously," said Kirk Saville, vice president, global communications at Staples. "PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation."
While Costco Canada and Rite Aid pointed out that PNI does not process credit cards and as a result has limited access to customer information, they took their photo service sites down as a precautionary measure. CVS and Walmart Canada asked customers to monitor their credit transactions for unauthorized charges. Tesco's photo processing page said it was unavailable because of routine maintenance.
Like other chains, CVSPhoto.com customers were greeted by a message instead of the regular page content. The online photo service was taken down on Friday and was still down on Tuesday morning.
The message read, in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience. Our in-store photo centers are not affected and remain in service."
The message went on to advise customers who have provided credit card information for transactions on CVSPhoto.com to check their credit card statements for fraudulent or suspicious activity, and if they find it, report it to their bank or financial institution. The transactions on CVSPhoto.com are separate from other CVS internet businesses, such as CVS.com, Optical.CVS.com, CVS.com/MinuteClinic and in-store POS systems.
The message on Costco's photo page read: "As a result of recent reports suggesting that there may have been a security compromise of the third-party vendor who hosts CostcoPhotoCenter.com we are temporarily suspending access to the site. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers."
The breaches underscore the importance of rigorous vetting of technology vendors, Adam Levin, founder of security firm IDT911, told The New York Times. As companies outsource more technology operations, these vendors can be the weakest security link.
"Breaches have become a certainty in life, and everybody's got to step up their game. Even if the problem stems from a vendor, the retailer's reputation is harmed, and it ends up in the middle of lawsuits," he said.
Walmart Canada said there was no reason to think that Walmart's photo processing site in the U.S., or its main e-commerce sites in Canada or the United States, were affected, said Marilee McInnis, a company spokesperson.
"Our customers' privacy is of the utmost importance. We immediately launched an investigation and will be contacting customers who may be impacted," McInnis said. Canadian authorities and regulators were alerted to the attack.
Brian Krebs, reporting in his Krebs on Security blog, cited PNI's investor relations page as saying the company "'provides a proprietary transactional software platform' that is used by retailers such as Costco, Walmart Canada and CVS/pharmacy to sell millions of personalized products every year.
"Our digital logistics connect your website, in-store kiosks and mobile presences with neighborhood storefronts, maximizing style, price and convenience. Last year the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18 million transactions for personalized products."
Cyber security affects consumer holiday spending
Target: Timeline of a data breach
Data breaches: Will retailers step-up their game?
Target still reeling from data breach, failed Canada expansion
Target Suffers Reduced Traffic After Breach, Hit With More Lawsuits