Threat Management

Customer data possibly compromised in online photo store malware attack

PNI Digital Media, CVS and Costco have issued statements indicating that some customers' personal information may have been compromised following the July malware attack that shut down the online photo print operations at six PNI-run retailers.

PNI, which is owned by the office supply superstore chain Staples, said malware was inserted into their system and this may have led to some data being captured.

“While the investigation is ongoing, the results to date suggest that an unauthorized party entered PNI's systems and was able to deploy malware designed to capture user input on PNI's servers that support some of its customers' websites,” Staples told SCMagazine in an email on Monday.

The problem began on July 17 when Sam's Club, Costco, CVS, RiteAid, Walmart Canada and the U.K. company Tesco all were forced to shut down their online photo ordering. At that time all six sites were taken down

CVS issued a similar statement advising its online photo customers of the possible loss of their information.

“Investigators have now confirmed that there was an illegal intrusion into PNI's system that potentially resulted in the unauthorized acquisition of data entered by certain users on In the coming days we will be sending a direct notification to those customers who were potentially affected by this intrusion,” the company told in an email Monday.

Costco has also reopened its online print shop, but also warned its shoppers that some of their information may have been misappropriated. The company is providing identity theft protection for one year free of charge and is suggesting users change their password for the site. Costco said PNI has input new security measures.

“Our investigation indicates that some Costco members who typed credit card numbers onto the site during the compromise window had credit card information (including security code and expiration date) taken, along with other information that may include name, phone number, billing address, email address, password and ship-to information. We do not believe that stored credit card numbers or photos were compromised, and itself was not impacted,” Costco said in a posted statement.

Sam's Club also reinstated its site and indicated that none of its customers should experience any issues due to the hack.

“Based on assurance from our third-party vendor that Sam's club customer data has not been compromised, we've re-launched our photo center site. We also have no reason to believe that in-club transactions or any other transactions on have been affected,” Sam's Club told SCMazine in an email Monday.

RiteAide's site is still down and only contains the original note to customers from July 17 informing them of the issue. An email to the company requesting an update has not been answered.

Walmart Canada and Tesco removed the photo areas from their sites and have not posted any information regarding the situation.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.