CVS Photo breachIf you take advantage of your local CVS, Costco, Rite Aid or other similar stores to have your photos printed online, you might want to double-check your credit card statements. Following the shutdown of Walmart Canada’s Photocentre website on July 14 after it became aware of a potential data breach, CVS took down its online photo processing store, CVS Photo, just a few days later on July 17. Rite Aid, Costco, Sam’s Club and UK-based Tesco followed suit shortly after. It’s possible that other retailer online photo processing websites may also be involved. Announcements made on the disabled websites for most of these stores pointed to the third-party vendor which manages and hosts their photo processing websites as the source of the data breach. In his write-up of this breach, security blogger Brian Krebs revealed that the third-party vendor these sites all share in common is Vancouver-based PNI Digital Media, which provides transactional software to retailers for use on their websites.

What customer data may have been exposed?

According to the notice put up by Rite Aid on its photo site, customer information potentially vulnerable in this breach includes names, addresses, phone numbers, email addresses, photo account passwords and credit card information. Rite Aid also pointed out that its customers don’t have to worry about exposure of their credit card information since PNI did not process that information for the retailer. However, PNI did process that information for many of its other retailer customers, so if you have used an online photo processing service from any national retailer recently, it’s probably a wise idea to visit its website and check to see if it may be a part of this breach.

RiteAid breach announcement

It’s important for consumers to know that this data breach only affects online transactions through these retailers’ photo websites. CVS and others have assured customers that in-store and non-photo processing transactions are not compromised. It is likely that, following their investigations, each retailer will notify customers whose information was exposed and offer some sort of identity theft protection or credit report monitoring as a consolation.

How can I protect myself?

At this time, not much is known except that customer information — including credit card data, in some cases — was exposed. Since this security breach was through a third-party vendor that serves multiple nationwide retailers, there is potential for the amount of people whose information was leaked to be enormous. Until more facts are known and the retailers affected begin contacting customers, you can protect yourself by following the steps outlined in this blog post.

To learn more about protecting yourself from identity theft, follow our identity theft blog.