Cyber Incident Victim: Thrifty PayLess
Date:
Jul 2015
Location:
United States of America
Summary
A pharmacy chain's online photo service experienced a credit card data breach involving a third-party vendor managing the platform, prompting temporary shutdowns of affected websites. The vendor, PNI Digital Media, provided transactional software for multiple retailers, leading to similar investigations at Walmart Canada, Costco, Rite Aid, Tesco, and others. Compromised information potentially included customer names, addresses, phone numbers, email addresses, account passwords, and payment card details. The incident was isolated to online and mobile photo services, with no impact on in-store operations, pharmacy systems, or primary e-commerce platforms. Rite Aid clarified that PNI had limited access to its customers' credit card information compared to other clients. This breach followed prior security incidents linked to PNI's parent company.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2015, CVS temporarily shut down its CVSphoto.com online photo service after discovering potential credit card data compromise involving a third-party vendor. The breach notification appeared on CVSphoto.com's homepage, clarifying that only transactions processed through this independent vendor—not CVS.com or in-store pharmacy systems—were affected. This incident followed Walmart Canada's announcement days earlier regarding a similar breach investigation at its online photo store, which was also managed by a third party. Media reports identified PNI Digital Media as the common vendor behind both CVSphoto.com and Walmart Canada's photo services. PNI's investor relations page confirmed it provided transactional software platforms for multiple retailers including Costco, Walmart Canada, and CVS/pharmacy, facilitating personalized product sales through websites, mobile apps, and 19,000+ retail kiosks. Shortly after these revelations, PNI removed client references from its investor page and Wikipedia entry. Staples, which had acquired PNI in 2014, previously suffered a separate card breach affecting over one million customer accounts between April and September 2014.
The breach scope expanded as additional retailers using PNI's platform took precautionary measures. Costco disabled Costcophotocenter.com with a notice about the vendor security compromise, while Rite Aid confirmed PNI managed mywayphotos.riteaid.com and warned that potentially compromised data included names, addresses, phone numbers, email addresses, account passwords, and credit card information—though Rite Aid clarified PNI didn't process its credit card data directly. Tesco's photo site displayed maintenance messages, and industry analysts suggested Sam's Club and Walgreens might face similar issues. All affected retailers emphasized that core e-commerce platforms and physical store operations remained unaffected. CVS, Costco, and Rite Aid maintained temporary shutdowns of their photo services during investigations, with Rite Aid specifically noting no customer reports of actual fraud at the time of disclosure. The incident highlighted systemic risks in third-party vendor relationships, particularly given PNI's central role in processing transactions for multiple national retail chains through a unified digital platform.