WASHINGTON (7/21/15)--The latest retailer data breach, this time at a third-party vendor providing online and mobile photo services for Walmart Canada, Costco, CVS, Rite-Aid and Sam’s Club, adds more fuel to CUNA’s advocacy efforts to make retailers responsible for the security of their customers’ personal financial information and the aftermath of their breaches.
Meanwhile, credit union members and other consumers using online and mobile photo services and apps at the retailers will need to be on the lookout for fraudulent charges on their credit cards in the wake of the breach.
The companies closed down their photo sites Friday as a precaution after learning of a possible security breach at their independent photo-management vendor, PNI Digital Media. The sites were still down Monday.
PNI Digital is a Vancouver, B.C.-based company that was purchased in 2014 by office supplies retailer Staples Inc., according to USA Today and CNNMoney.com (July 17). It manages and hosts the retailers’ photo sites. Last year it served more than 19,000 retail locations and 8,000 kiosks and generated more than 18 million transactions for personalized products. Last year Staples suffered a data breach, affecting 1.2 million credit cards.
CUNA and credit unions have long advocated that retailers, not financial institutions, should bear the expense of replacing credit cards from merchant data breaches. CUNA continues to urge Congress to pass the Data Security Act (S.961/H.R.2205), which seeks to ensure a customer’s sensitive personal and financial information are secure at every point in the payment process.
Several of the retailers told the customers to contact their financial institutions to monitor potential fraudulent purchases.
CVSPhoto.com shut down its site and its smartphone app, saying “as a precaution, as our investigation is under way, we are temporarily shutting down access to online and related mobile photo services.” The notice advised customers who provided credit card information for their transactions to “check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.” CVS noted that CVSPhoto.com customer registrations are “completely separate” from its other sites’ online bill pay and from its pharmacies.
RiteAid’s website said that compromised data include name, address, phone number, email address, photo account password and credit card information. “Unlike other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information.” The breach is limited to the photo service only, not Rite Aid’s other mobile and online services. Although the company had received no reports from customers regarding fraudulent use of the information, it temporarily shut down access to its mobile and online photo services as a precaution.