News

Actions

CVS Photo website might have been hacked

Posted

NEW YORK (CNNMoney) — CVS Photo, the popular website where you can upload digital images and pick up prints at the pharmacy, appears to have been hacked.

Customer credit card data “may have been compromised,” the pharmacy explained. In cases like these, it’s typically hackers who break in and steal large batches of payment information.

On Friday, the company shut down CVSphoto.com and its smartphone app. The website appeared blank with a message from CVS. The company places responsibility squarely on a contractor that ran the service.

CVS did not name the other company.

However, CNNMoney found online records that indicate the website is operated by PNI Digital Media, based in Vancouver.

CVS’s privacy policy names PNI as its online photo partner. Also, PNI has operated CVSphoto.com and was contracted to run it until at least 2014, according to previously made corporate statements.

Additionally, CVS.PNImedia.com redirects to CVSphoto.com.

PNI is currently a subsidiary of Staples, which itself was hacked last year and lost 1.2 million credit cards. PNI did not immediately reply to CNNMoney’s questions.

The pharmacy made clear that its photo printing website is completely separate from its medical and pharmaceutical business, so patient data isn’t likely affected.

CVS said it’s now investigating the matter to determine what, if anything, was actually stolen.

CNNMoney asked the pharmacy whether hackers might have also stolen photos customers uploaded, but CVS did not immediately reply.

In what’s become the mantra of every hacked company, CVS also issued this statement: “Nothing is more central to us than protecting the privacy and security of our customer information, including financial information.”