Cyber Incident Victim: Tesco PLC

In mid-July 2015, multiple major retailers including CVS, Walmart Canada, Costco, and Tesco experienced disruptions to their online photo services following reports of a potential credit card data breach involving third-party vendor PNI Digital Media. PNI, acquired by Staples in 2014, provided the transactional software platform powering these retailers' online photo centers. The incident surfaced when CVS abruptly replaced CVSphoto.com with a breach notification on July 17, stating customer credit card information collected by PNI "may have been compromised." This followed Walmart Canada's earlier disclosure of a similar investigation into its PNI-operated photo site. PNI's investor relations page initially listed CVS, Walmart Canada, Costco, Sam's Club, Walgreens, Rite Aid, and Tesco as clients using its platform, though this information was removed shortly after media inquiries.

Affected retailers responded by temporarily suspending access to their photo platforms as a precautionary measure. CVS shut down CVSphoto.com and related mobile services, emphasizing the separation between photo accounts and core pharmacy transactions. Costco disabled Costcophotocenter.com with nearly identical messaging, while Tesco's tescophoto.com displayed a "down for maintenance" notice. Rite Aid confirmed PNI had alerted them to a possible compromise of customer names, addresses, phone numbers, email addresses, account passwords, and credit card data through its mywayphotos.riteaid.com portal, though it noted PNI didn't process Rite Aid's credit card transactions. No retailers confirmed actual data theft at the time of reporting, and financial systems unrelated to photo services remained operational. The incident marked the second major security concern involving PNI's parent company Staples within a year, following a 2014 breach exposing over 1 million customer card accounts across Staples' retail stores.