Cyber Incident Victim: Walgreens
Date:
Jul 2015
Location:
United States of America
Summary
A breach involving a third-party vendor managing online photo services for multiple retailers potentially compromised customer data, including names, addresses, phone numbers, email addresses, account passwords, and credit card information. The incident affected Walgreens' online photo platform alongside other retailers, with investigations indicating the vendor's systems were compromised. Services were temporarily suspended as a precaution, though core pharmacy operations, in-store systems, and primary websites remained unaffected. The vendor, PNI Digital Media, previously linked to similar breaches at other retailers, facilitated transactions for personalized products but did not process payments for all clients. Impact was confined to online photo services hosted by the vendor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-July 2015, multiple U.S. and Canadian retail chains experienced potential credit card breaches tied to their online photo processing services operated by third-party vendor PNI Digital Media. CVS Pharmacy became the first to publicly acknowledge the issue on July 17, replacing CVSphoto.com with a warning message about possible credit card data compromise and temporarily shutting down online and mobile photo services. The company clarified that CVSPhoto.com operated independently from CVS.com and in-store pharmacy systems, confirming that core retail and pharmaceutical transactions remained unaffected. This disclosure followed Walmart Canada's July 14 announcement of its own investigation into card data exposure at its PNI-hosted online photo store, establishing a pattern of third-party platform vulnerabilities across major retailers.
The breach scope expanded significantly within hours as security researchers identified additional PNI clients potentially affected, including Walgreens, Sam's Club, Rite Aid, Tesco, and Costco. By late July 17, Costco had taken its photo center offline with a nearly identical warning message to CVS's, while Tesco's photo site displayed maintenance notifications. Rite Aid provided the most detailed impact assessment among secondary victims, confirming that PNI managed mywayphotos.riteaid.com and that exposed data potentially included names, addresses, phone numbers, email addresses, account passwords, and credit card information—though Rite Aid noted PNI had limited credit card processing capabilities for their systems. Neither Walgreens nor Sam's Club issued immediate public statements, though their inclusion in researcher alerts suggested similar operational impacts. All affected retailers emphasized the breach's isolation to photo services, with no infiltration of primary e-commerce platforms or physical store payment systems. PNI Digital Media, recently acquired by Staples—a company that had itself suffered a major card breach in 2014—removed client references from its investor relations page and Wikipedia entry following initial reports, while failing to provide official comment on the investigation timeline or attacker methodology.