Pharmacy chain CVS has apparently suffered a data breach in its online photo business and consequently has temporarily taken it off line while it investigates the matter. Here is a copy of their announcement.
“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience.
Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on line bill pay and our pharmacies. Financial transactions on CVS.com, optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
For more information, call 1-800-SHOP-CVS.”
However, the story does not end there. CVSPhoto.com is operated by PNI Digital Media, a third party vendor that also operates the online photo business for Walmart Canada which discovered a similar data breach last week. In fact, PNI also operates online the photo businesses of Sam’s Club, Walgreens, Rite Aid and others including Costco’s photo center which also took its online photo business off line as a precautionary measure. Anyone who has used the online photo services of any of these companies should be particularly vigilant at this time as it certainly appears that a security flaw in PNI Digital Media’s computer software or systems is being exploited to steal credit and debit card information.
One of the most important takeaway from this is that when choosing whether to use your credit card or debit card for retail transactions, you should always pick your credit card. Your liability for unauthorized use of a credit card is limited by federal law to no more than $50 and most credit card companies will not even hold you responsible for even that amount. However, your liability for unauthorized use of your debit card can potentially be unlimited if you do not promptly notice and report the fraudulent use of your card thereby putting your entire bank account tied to your debit card in jeopardy. In addition, even if you notice and report the unauthorized use of your debit card immediately, your bank account is frozen while the bank investigates the matter thereby temporarily taking away your own access to your bank account. Limit your debit card use to ATMs.
Specifically for those people who have used the services of any of the affected companies, you should monitor your credit card use online to be on the look out for any fraudulent use.