Cyber Incident Victim: Sam's Club
Date:
Jul 2015
Location:
United States of America
Summary
A cybersecurity incident involving Sams Club stemmed from a breach at third-party vendor PNI Digital Media, which managed online photo services for multiple retailers. Customer data potentially compromised included names, addresses, phone numbers, email addresses, account passwords, and payment card information. The breach prompted temporary shutdowns of affected online platforms as a precautionary measure, though in-store operations and unrelated digital services remained unaffected. Similar impacts were reported by other retailers using PNI's services, including CVS, Walmart Canada, Rite Aid, and Costco, with investigations indicating unauthorized access to the vendor's transactional systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-July 2015, CVS Health disabled its CVSphoto.com website and associated mobile services after discovering potential credit card data compromise at its online photo processing unit. The company confirmed the breach stemmed from a third-party vendor managing the platform, clarifying that CVS.com transactions and in-store pharmacy systems remained unaffected. This incident followed Walmart Canada's announcement days earlier regarding a similar investigation into card data exposure at its online photo service. Both retailers identified PNI Digital Media—a transactional software provider for personalized products—as the common vendor. PNI's platform serviced multiple major retailers, including Costco, Walmart Canada, and CVS/pharmacy, handling over 18 million annual transactions across 19,000 retail locations and 8,000 kiosks. Evidence emerged that PNI removed client references from its investor relations page and Wikipedia entry shortly after CVS's disclosure.
The breach scope expanded as additional retailers responded to PNI's security incident. Costco suspended Costcophotocenter.com with warnings about the vendor compromise, while Rite Aid confirmed PNI's limited access to customer names, addresses, phone numbers, email addresses, photo account passwords, and credit card data through its mywayphotos.riteaid.com portal. Tesco displayed maintenance messages on tescophoto.com. An investigative update indicated **Sams Club**, Walgreens, Rite Aid, and Tesco might enact similar protective measures, though specific actions by Sams Club weren't detailed in available reports. PNI's corporate parent Staples—which acquired the company in 2014—had previously suffered a separate six-month card breach exposing 1.16 million accounts. Retailers uniformly emphasized that core e-commerce platforms and physical store operations remained unaffected, isolating the incident to PNI-managed photo services. No customer fraud reports linked to the breach were confirmed at the time of disclosures.