06:00 PM
Connect Directly

Photo Processing Vendor Exposes CVS, Wal-Mart, Costco

Retail breaches highlight third-party risk -- again.

A breach announced last week by a third-party vendor that manages and hosts photo processing websites for retailers has left at least five major retailers reeling in the wake of the exposure. As reported last week, Wal-Mart and CVS were the first known affected organizations, but today news has trickled in that Costco, RiteAid, and British-based Tesco are all investigating potential incidents as well.

According to PNI Digital Media, the company handles over 18 million transactions a year across 19,000 retail locations and 8,000 photo processing kiosks. While the scope of this breach is still hazy, security experts say that it is a good example of the danger posed by third-party vendors, particularly those that touch sensitive customer records.

"In the age of the mega data breach, you will be judged by the company you keep," says Adam Levin, co-founder of IDT911 and the former director of NJ Division of Consumer Affairs. "Vendors need to be vetted as rigorously as senior management, and there can be zero-tolerance for poor security protocols."

This case in particular brings to light the challenges that traditional retailers face when trying to build out digital and e-commerce services delivered through kiosks and other on-site services.

"The integration of eCommerce services and bricks and mortar retail introduces a unique challenge to security teams, particularly when the service provided is via third party which collects payment information and customer interaction," says Ken Westin, security analyst for Tripwire, explaining that ensuring the security of third-party vendors is not always possible without extensive and continuous auditing, which is frequently not practical.

"Attackers are well aware of this and spend a great deal of time not only understanding their targets’ network architecture, but also other potential channels into these networks and customer data such as through third party providers," he says.

Retailers have been hard hit by third-party lapses of late, as experts point to third-party breach connections in incidents at Goodwill, Lowe’s, Dairy Queen, Home Depot, and Target in the past few years. But this recent breach is different because the vendor might be found liable, says Igor Baikalov, chief scientist for Securonix.

"The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it," Baikalov says. "The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-23
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
PUBLISHED: 2019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
PUBLISHED: 2019-02-23
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.
PUBLISHED: 2019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
PUBLISHED: 2019-02-23
PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.