CVS said Friday investigators have confirmed that the company that manages their photo website was indeed hacked this summer, possibly resulting in the theft of some CVS customer information.
The photo website of the nation’s second-largest drugstore chain has been shut down since July after the breach was detected. The photo sites of Rite Aid, Costco and Wal-Mart Canada also were affected in the breach. CVS Health Corp. said it started contacting potentially-affected customers on Friday. A spokesman for the Woonsocket, Rhode Island-based company wouldn’t say how many customers were being notified, or comment beyond the note to consumers posted on CVS’ photo website.
The company’s main CVS.com website, the computer system used by its pharmacies, its optical website and its MinuteClinic online bill pay site were not affected by the breach. Sales made in CVS stores also were not affected.
The Rite Aid and Wal-Mart Canada sites also remained down Friday afternoon, while the Costco site has restarted limited operations.
Staples Inc., the parent company of Canada-based PNI Digital Media, which manages all of the sites, says that based on its investigation so far, it appears that the hackers breached PNI’s computer systems and used malware to capture user information on the company’s servers. But it says that there’s no sign that hackers accessed user photos or pin numbers.
“The company is working with outside security experts to determine the nature and scope of the incident, including what user data was impacted and the time period involved,” Staples’ statement read.
CVSPhoto Website: Updated September 11, 2015: In July, we learned that customer credit card information entered by certain users on CVSPhoto.com, which is operated by PNI Media (an independent third-party vendor who manages the hosted CVSPhoto.com site), was potentially impacted. As a precaution, we immediately shut down access to online and related mobile photo services and began an investigation, which is ongoing.
We continue to work diligently on restoring service to CVSPhoto.com and we expect that our online photos service will resume later this fall. Your images are saved and you will have access to them once service to CVSPhoto.com is restored. Our in-store photo centers are not affected and remain in service. Film and disposable camera orders are being processed and your CVS/pharmacy will contact you when they are received.
Investigators have now confirmed that there was an illegal intrusion into PNI’s system that potentially resulted in the unauthorized acquisition of data entered by certain users on CVSPhoto.com. In the coming days we will be sending a direct notification to those customers who were potentially affected by this intrusion.