Most of the mass merchants that closed down their online photo ordering businesses in July following a massive hack of their online photo ordering software host, PNI Digital Imaging, have yet to fully recover.
Four months on from the closure of their online operations, Rite Aid (US) and Walmart Canada are still advising customers to go to a store to place their orders, with online ordering via PC or app still entirely shut down.
Tesco (UK) has recommenced online ordering, but still doesn’t offer an online photo ordering app.
CVS Photos remains totally offline.
CVS appointed an independent investigator who confirmed that the ‘possible breach’ actually occurred, and data stolen included credit card information for some customers, as well as names, phone numbers, e-mail addresses, usernames, and passwords. CVS said it appears that the hackers did not steal any photographs.
CVS has stated that customers who had their credit-card information stolen will receive one year of free credit monitoring and identity theft resolutions services through Experian. Costco has also been notified customers whose credit card information has been compromised and offering customers identity theft protection, for one year, at no charge.
Office supplies giant Staples, which owns PNI, has maintained a low profile through the debacle. ‘While the investigation is ongoing, the results to date suggest that an unauthorised party entered PNI’s systems and was able to deploy malware designed to capture user input on PNI’s servers that support some of its customers’ websites,’ a Staples spokesman told The Boston Globe. ‘At this time, there is no reason to believe that the unauthorised party accessed photos or PIN numbers. (Only as CSV noted, credit card information, names, phone numbers, e-mail addresses, usernames, and passwords. No biggie!)
Costco in the US seems to be the only business to have its online photo operations close to fully back up and running, while also conceding that customer data has been stolen.
‘Our investigation indicates that some Costco members who typed credit card numbers onto the site during the compromise window had credit card information (including security code and expiration date) taken, along with other information that may include name, phone number, billing address, email address, password and ship-to information.’
It advised customers to check with their bank card company.
It’s worth noting that the ‘compromise window’ was a big one – from mid-2014 through to mid 2015.
Costco said that full access to customer photos will not be available immediately, with photos from 2013 or earlier inaccessible ‘for another few weeks’ – indicating that the relaunch of PNI’s service is not yet complete.
Reliance on third-party contractors for online services appears to be a growing security challenge for both online and bricks-and-mortar retailers.
Criminals responsible for a Home Depot security breach also gained access via a user account at a third party contractor. They then installed malware on Home Depot’s self-checkout systems in the US and Canada.
Target in the US also had 70 million customer credit cards numbers stolen courtesy of a third party supplier of air conditioning systems.