Cyber Incident Victim: Walmart Inc.

In July 2015, Walmart Canada disclosed it was investigating a potential breach of customer payment card data involving its online photo processing service. The company stated the incident affected a third-party vendor managing the platform, later identified as PNI Digital Media—a subsidiary of Staples that provided transactional software for online photo services across multiple retailers. This announcement preceded a similar disclosure by CVS Pharmacy, which temporarily shut down CVSphoto.com after learning PNI may have compromised customer credit card data. Walmart Canada confirmed its online photo operations were segregated from core retail systems, clarifying that in-store transactions and Walmart.com financial activities remained unaffected. The breach scope at Walmart Canada specifically involved payment card information submitted through the PNI-hosted photo portal, though the investigation did not confirm data exfiltration at the time of reporting.

The incident triggered coordinated containment measures across PNI’s client base. Following Walmart Canada’s probe, CVS, Costco, Rite Aid, Tesco, and Sam’s Club suspended their online photo services as a precaution. Rite Aid’s advisory noted PNI potentially accessed customer names, addresses, phone numbers, email addresses, account passwords, and payment card details—though Rite Aid clarified PNI didn’t process its credit card transactions. Walmart Canada’s response mirrored industry actions by temporarily disabling the compromised portal while maintaining normal retail operations. PNI removed client references from its investor relations page and Wikipedia entry shortly after media coverage, though historical records confirmed its platform facilitated over 18 million annual transactions for 19,000 retail locations. The breach marked the second major card data incident involving a Staples entity within a year, following a 2014 intrusion at Staples retail stores that compromised 1.16 million payment cards.