Following Walmart Canada's recent shutdown of its Photocentre website, several other leading photo processing sites are following suit, including those run by Costco, CVS, Tesco and Rite Aid.
The link between all of them? They're all clients of third-party service provider PNI Digital Media, which was acquired by Staples last year.
The Costco Photo Center website was recently taken down and replaced with a statement reading, in part, "As a result of recent reports suggesting that there may have been a security compromise of the third party vendor who hosts Costcophotocenter.com we are temporarily suspending access to the site. This decision does not affect any other Costco website or our in-store operations, including in-store photo centers."
Similarly, the CVSPhoto.com site was replaced with a statement reading, in part, "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
And Rite Aid's photo site now states, "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data. The data that may have been affected is name, address, phone number, email address, photo account password and credit card information. Unlike for other PNI customers, PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information."
In the U.K., the Tesco Photo site has also been taken down and replaced with a statement simply reading, "Tesco Photo is currently unavailable. We are sorry the Tesco Photo website and apps are currently unavailable for you to browse and order. We are doing everything we can to get up and running again as soon as possible."
In a statement provided to Reuters, Staples vice president of global communications Kirk Saville said, "We take the protection of information very seriously. PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation."
IDT911 chairman and founder Adam Levin told eSecurity Planet by email that businesses need to be sure to hire vendors with a clear track record of strong security practices. "When it comes to protecting consumer data, good cyber hygiene must be ingrained in a corporate culture and include everyone from the mailroom to the board," he said. "An organization must demand the same from its partners and vendors."
"A system is only as strong as its weakest link, and in incident after incident vendors are proving to be the weakest link," Levin added.
And Tim Erlin, director of IT security and risk strategy at Tripwire, said several recent breaches have made information security teams aware of the risks of working with third party service providers. "While outsourcing may provide a reduction in cost to the business, the potential risk has to be part of the overall calculation," he said.
"In these cases, where credit card data has been stolen from a third party vendor, it’s the major brand that hits the headlines," Erlin added.
A recent Forrester Consulting survey of IT security and risk management decision makers found that 79 percent of respondents said ensuring that business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months.
When asked what third party security information they would like to monitor, 68 percent of respondents said they wanted to understand third party threat and vulnerability management practices, 67 percent said third party encryption policies and procedures, 66 percent said security incidence response processes, and 64 percent said threat intelligence practices.
Still, only 37 percent of respondents said they track any of those metrics on at least a monthly basis.
A recent eSecurity Planet article examined several ways of minimizing the risks introduced by working with third-party vendors.