Security Experts:

Retailers Suspend Online Photo Centers Due to Possible Breach

Walmart Canada, Tesco, Costco, pharmacy chains CVS and Rite Aid, Sam’s Club, and possibly other retailers have decided to suspend online photo centers while their service provider investigates a possible card breach.

CVS and Walmart Canada were the first to announce shutting down their online photo services after learning that the third-party responsible for managing and hosting their photo centers may have been compromised.

The third party in question appears to be PNI Digital Media, a Vancouver, Canada-based company whose website says its online photo center service is used by the world’s leading retailers.

PNI Digital Media has not released a statement on the matter. However, many of the major retailers that use the company’s services have suspended their online photo centers.

While many of the retailers that use PNI’s platform have posted notices on their websites, the pharmacy chain Rite Aid provides the most details and is the only one to name PNI Digital Media as its service provider.

“We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data. The data that may have been affected is name, address, phone number, email address, photo account password and credit card information,” Rite Aid said. “Unlike for other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information. At this time, we have no reports from our customers of their credit card or other information being affected by this issue.”

CVS is advising customers who provided payment card information for transactions on CVSPhoto.com to keep an eye out for any fraudulent or suspicious activity.

“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services,” CVS said.

Tesco’s notice doesn’t mention anything about a potential security incident. Instead, the Tesco Photo website is “unavailable for routine maintenance.”

Membership-only retail warehouse club chain Sam’s Club says it does not believe that customer credit card data has been put at risk, but the company has decided to suspend the Sam’s Photo website following reports about a possible data breach. Costco says it has also shut down its photo center as a result of the recent reports.

Walmart says it has launched an investigation and it will be contacting customers who may be impacted.

“We were recently informed of a potential compromise of customer credit card data involving Walmart Canada’s Photocentre website, www.walmartphotocentre.ca,” Walmart said. “At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected. As we gather the facts, we recommend Walmart Canada’s Online Photocentre customers monitor their card transactions closely and immediately alert their financial institution about any unauthorized charges.”

PNI Digital Media has been contacted for comment.

PNI Digital Media was acquired in 2014 by Staples, Inc. In December 2014, Staples reported finding point-of-sale (PoS) malware in 115 of its U.S. stores. The company noted at the time that the attackers might have accessed 1.16 million cards.

Security reporter Brian Krebs noted that PNI Digital Media’s Wikipedia and Investors Relations pages have been modified, respectively removed. These pages listed some of the company’s customers before reports of a potential breach surfaced.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.