More Retailers Hit by New Third-Party Breach?Online Photo Services Shuttered During Investigation
(Editor's Note: This story has been updated)
See Also: Main Cyber Attack Destinations in 2016
CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.
The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.
Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.
PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."
CVS Confirms Investigation
On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.
The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."
CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."
Rite Aid: No Suspected Card Theft
Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."
Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.
Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."
Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.
Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.
"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.
Growing Third-Party Breach Concerns
PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country (see Denver POS Service Provider Breached).
Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.
On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.
The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.
Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.
"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."
Executive Editor Mathew Schwartz also contributed to this story.