The latest data breach seems to have come from CVS Photo online and currently the site is offline. The offline site now states:
We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience.
Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on line bill pay and our pharmacies. Financial transactions on CVS.com, optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
It appears that the “back room” credit card processing, i.e. that part of the transaction which the consumer does not see, was managed by a Vancouver company called PNI Digital Media. There’s nothing unusual or unreasonable about using a third party vendor to process credit information, but every company involved in the transaction has security standards that must be met. The most significant standard that may have been violated in this case is the PCI Standard. More information about the types of requirements imposed by law on financial institutions can be found at the Federal Trade Commission.
It is not immediately clear how widespread the breach was, but at least one report claims that Walmart Photos was also affected by the breach.
The loss of financial information such as credit card numbers is concerning for obvious reasons. But it also remains to be seen if photos themselves were part of the breach because this could be the first example of the danger of facial recognition software. We’ll continue to monitor if there is a link to this danger, and in the meantime continue to try to spread the word as to the breadth of data that is being collected.