Cyber Incident Victim: CVS Health
Date:
Jul 2015
Location:
United States of America
Summary
CVS Pharmacy temporarily shut down its online photo service following a potential compromise of customer credit card data managed by third-party vendor PNI Digital Media. The incident, which did not affect in-store transactions or other online platforms, mirrored similar breaches at retailers using PNI's services, including Walmart Canada, Costco, Rite Aid, and Tesco, prompting precautionary shutdowns of their photo sites. PNI, acquired by Staples—a company previously impacted by its own card breach—facilitated online photo processing for multiple retailers, with Rite Aid noting possible exposure of names, addresses, contact details, passwords, and payment information, though no confirmed misuse was reported.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2015, CVS Pharmacy disabled its CVSphoto.com website and related mobile photo services after discovering potential unauthorized access to customer credit card data processed by a third-party vendor. The company replaced the site with a notice confirming an investigation into the compromise of payment information collected by the vendor managing its online photo operations. CVS clarified that this incident exclusively affected CVSPhoto.com registrations and transactions, with no impact on CVS.com, in-store pharmacy systems, or retail financial transactions. The announcement followed Walmart Canada’s disclosure days earlier of a similar breach at its online photo service, which was also managed by the same third-party vendor, PNI Digital Media. PNI’s platform supported personalized product sales for multiple retailers, including CVS, Walmart Canada, Costco, Sam’s Club, Walgreens, Rite Aid, and Tesco, handling over 18 million annual transactions across 19,000 retail locations and 8,000 kiosks.
The breach prompted immediate containment actions across PNI’s client network. Costco suspended Costcophotocenter.com, citing reports of the vendor’s security compromise, while Tesco’s photo site displayed a “down for maintenance” message. Rite Aid disclosed that PNI had alerted it to a possible compromise affecting customer names, addresses, phone numbers, email addresses, photo account passwords, and credit card data but noted PNI had limited access to its credit card information compared to other clients. Staples, which had acquired PNI in 2014, had previously experienced a separate card breach at its retail stores. PNI removed client references from its investor relations page and Wikipedia entry shortly after the CVS breach became public. CVS, Walmart Canada, and other affected retailers maintained their primary e-commerce and in-store systems throughout the incident, isolating the breach to their photo-specific online portals managed by PNI. No customer reports of fraud linked to the incident were confirmed at the time of the disclosures.