A data breach has kept several mega retailers’ websites offline and could have compromised the personal information of some 60,000 Walmart Canada customers.
A mysterious incident which caused Walmart Canada to take its online photo processing website offline last month may have compromised the payment information of millions of the retailer’s customers. Furthermore, the severity of the incident was such that even after almost a month, Walmart Canada’s online photo processing service remains offline and visitors to the site are greeted with an official statement about the incident.
The company says that it was recently informed of a “potential compromise of customer credit card data” of its online photo site and that it has “launched an investigation and will be contacting customers who may be impacted.”
While the true extent of the breach remains unknown, Walmart says it has “no reason to believe” that customers of the Walmart.ca and Walmart.com websites are affected.
60,000 Customers Potentially Affected
According to a report by The Globe and Mail, as many as 60,000 Walmart customers could have had their personal information compromised as a result of the breach.
“As we gather the facts, we recommend Walmart Canada’s Online Photocentre customers monitor their card transactions closely and immediately alert their financial institution about any unauthorized charges,” continues the online statement.
However, the breach hasn’t just affected Walmart’s photo service and several other retailers have also taken their online photo offerings down as a result.
CVS, Costco, Rite-Aid, and Tesco also took their photo printing websites offline, as it emerged that the third-party vendor that runs them was the target of the breach.
Vancouver-based PNI Digital Media, which is owned by Staples INC. and operates the various retailers’ photo sites, is now trying to determine the severity of the incident.
A Staples spokesperson said: “PNI is investigating a potential credit card data security issue. If an issue is discovered, it is important to note that consumers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”
Walmart Canada has reported the incident to the Office of the Privacy Commissioner of Canada, which is now “working with the company to determine what occurred,” according to a spokesperson.
Lessons to be Learned
With Walmart Canada not providing any new information regarding the breach so far, security experts can only surmise about the situation.
Indeed, according to Don Sears at SecurityScorecard Blog, these types of breaches are not uncommon and hackers have previously exploited misconfigured photo upload forms by uploading malicious code and attempting to execute it.
Sears says that lessons have not been learned following the high-profile Target data breach that occurred in 2013. He says: “by hacking one company, attackers were able to grab data from no fewer than five mega-retailers.”
It’s likely to be some time still until more is known about the breach and a clearer picture of its severity drawn. Sears believes, though, that this could be the breach “that finally forces large companies to stop letting history repeat itself.”
The incident further highlights the importance of ensuring that your organisational data is kept fully secure no matter where it is being stored, and emphasises how information can be compromised as a result of having just one weak link in your security chain.