As online photo print operations at six major retailers spanning the U.S., Canada and the U.K. remain shuttered going into a second month after hackers attacked the services through a third-party provider, industry analysts said the toll on consumers and the retailers could be significant in terms of both data and dollars.
John Kindervag, Forrester Research vice president and principal analyst serving security and risk professionals, told SCMagazine.com that the fact the sites are still down could be indicative of an ongoing criminal investigation and not just an attempt to shore up the vulnerability.
“This could potentially be massive,” Kindervag said, “The business losses will be minimal compared to the data loss, fines and potential lawsuits.”
Kindervag was surprised that the shutdown has more or less flown under the radar with the PlayStation Network hack garnering quite a bit more attention.
Sam's Club, Costco, CVS, RiteAid, Walmart Canada and the U.K. company Tesco all were forced to shut down their online photo ordering websites, which are operated by third-party PNI Digital Media, on July 17. Since then each company has posted a note apologizing for the loss of service, but giving out very little additional information. PNI is owned by the office superstore chain Staples.
Kindervag said he has no first-hand knowledge of the investigation, but believes the hackers used an attack similar to the one that penetrated Target. In that case entry was gained through the HVAC system, but in this case through the online photo portal.
“The hackers went sniffing for an open IP address and found it in the online photo system,” he said.
While there is no way to place a dollar amount on the potential data lost, the retailers stand to lose tens of millions dollars.
The market research firm InfoTrends pegged the U.S. photo printing market at about $2 billion with online ordering comprising about 40 percent of this total, Alan Bullock, associate director, connected imaging trends service, told SCMagazine.com.
“This is a significant event and has the potential to be massively disruptive,” Bullock said, adding that the retailers can still conduct their photo business through their in-store facilities.
Infotrend did not have a dollar break out for how much the retailers have lost during the events, but it did say the majority of prints ordered online are picked up in the store where customers pay in person.
That could prove to be a mitigating factor in the amount of data lost since customers purchasing prints did not have to input any personal data to use the service.
Bullock added that online photo sites run by Target, Walmart and Walgreens are not impacted because each of those retailers is serviced by a different third-party provider.
The companies impacted have not yet made any public statements regarding the specific data that might have been compromised or how much longer the services will be down. Most did name PNI as the responsible party.
CVS suggested that customers who inputted credit card information to the site check their statements for fraudulent activity and Mike DeAngelis, CVS's director of public relations said in email correspondence with SCMagazine.com that the chain is working closely with its financial partners in the investigation.
Meanwhile, RiteAid offered up a mixed message, saying, “The data that may have been affected is name, address, phone number, email address, photo account password and credit card information." The statement on its site stated that "unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information."
Staples Director of Communications Mark Cuetala told SCMagazine.com in an email that the company is only making a single blanket statement available to the public.
“PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation,” the statement said.
Kindervag contended that at the end of the day the best outcome would be that the good guys add this to their lessons learned pile.
“It doesn't matter who is behind it, we are not going to bring anyone to justice," he said. "This is about solving the problem and moving on."
