Walmart photo centre exposed to hackers
Walmart Canada has told customers who used its online photo centre from June 2014 to July 2015 that their credit card data and other personal information has been compromised.
Last July, the retailer took down the photo centre website and mobile applications operated by PNI Digital Media, based in Vancouver and owned by Staples Inc.
It also notified those who used the photo centre during the period of a possible data breach.
In new emails dated Nov. 4, Walmart said its investigation showed an unauthorized party used “malware,” malicious software, on some of PNI’s servers supporting its retail clients, including some servers that hosted the Canadian photo centre site.
“The malware is designed to col- lect credit card and other personal information customers provide when placing an order, including name, email and account password. The malware is not designed to capture images or photos uploaded by customers or to capture a customer’s PIN (personal identification number),” the company said.
“At this point, we are not able to confirm whether any personal customer information potentially collected by the malware was misused by a third party.”
The emails, signed by Walmart Canada Photo Centre Team, told customers to contact their financial institutions if they saw irregular credit card activity and change the passwords used at other sites if they were the same as at the Walmart photo site.
“The privacy of customer information is a top priority for Walmart Canada and we have taken the situation very seriously,” said a spokesman, Alex Roberton, citing a voluntary notification of the Office of the Privacy Commissioner and the Canadian Anti-Fraud Centre.
Surprisingly, Walmart did not provide a free credit-monitoring service to customers whose privacy was breached.
This has become standard practice for retailers.
Home Depot Canada, for example, gave customers one year of protection with Equifax Canada after private data was compromised in 2014.
Target Canada, now out of business, also offered a free year of credit monitoring after a data breach in late 2013.
I started hearing from customers when Walmart Canada hired PNI last year to run its online photo centres.
This led to delayed production of Christmas cards and albums ordered from Nov. 1 to Dec. 14, 2014.
“We realize this is not the service customers have come to expect from Walmart,” Roberton told me last January.
Walmart gave full refunds to clients whose photo orders were delivered after Christmas — and offered 100 free prints and a $100 photo credit to those with late orders delivered before Dec. 24.
Eric Bouchard sought my help to get delivery in January. (It took 37 days.) He contacted me again last July.
“On top of really bad service from the Walmart photo centre last holiday season, now they have their credit card data stolen,” he said. “This may give them a good lesson that using third parties to save money is not always the best way to go.”
Other retailers that used PNI Digital Media — such as Rite-Aid, CVS and Costco in the U.S., plus Tesco in Britain — also sent their photo processing sites offline last July.
Exploiting uploads to an image gallery is a common form of web attack, said an article at the Tech- vibes website about the Walmart data breach.
“Attackers will try to upload malicious code instead of an image and attempt to get the code to execute. What we do know is that by hacking one company, attackers were able to grab data from no fewer than five major retailers.”
The Walmart data breach may affect 750,000 Canadians, an informed observer speculated. It’s potentially bigger than the Medicentres incident in Alberta, when a laptop with the private health information of 620,000 patients was stolen last year.
My view: Walmart is the world’s largest retailer. As Roberton said last July, this is not the service customers expect.
The company should do more to show it’s sorry for exposing their private data to hackers. Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca or ellenroseman.com.