Almost three weeks ago Walmart Canada took down the website for its online photo processing service following a possible data breach.
Shortly thereafter, the same action was taken by CVS, Costco, Rite-Aid, and Tesco. Today visitors to the photo processing sites of these mega-retailers are still being greeted with a notice that they are offline.
As it turns out, each company was using the same third-party vendor, Vancouver’s PNI Digital Media, to handle their photo-processing services. PNI Digital Media is now a unit of Staples who acquired them last year.
PNI Digital’s technology allows retailers to enable customers the ability to upload digital photographs through a web interface.
According to all mainstream media reports an investigation has been launched but with almost three weeks passing there has been no updates and the extend of the data breach is still unclear. It is still unknown if any personally identifying information (e.g. credit card numbers) was stolen and how the data breach was even carried out.
Cybersecurity experts can make pretty educated guesses, though. According to Don Sears at SecurityScorecard Blog, image gallery upload exploitation is one of the more common forms of web application attacks, whereby the attackers take advantage of an misconfigured upload form. Attackers will try to upload malicious code instead of an image, and attempt to get the code to execute.
What we do know is that by hacking one company, attackers were able to grab data from no fewer than five major retailers.
In a recent Cybersecurity report highlighted by Techvibes, Prakash Mehta, a resident expert on cybersecurity at international law firm Akin Gump, recommended that clients “create a map of every third party that has access to the firm’s sensitive data, including vendors and suppliers.”
“You cannot just protect on your end,” notes Mehta. “How strong is the cybersecurity with those who have your information?”