Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Photo Processing Vendor Exposes CVS, Wal-Mart, Costco

Retail breaches highlight third-party risk -- again.

A breach announced last week by a third-party vendor that manages and hosts photo processing websites for retailers has left at least five major retailers reeling in the wake of the exposure. As reported last week, Wal-Mart and CVS were the first known affected organizations, but today news has trickled in that Costco, RiteAid, and British-based Tesco are all investigating potential incidents as well.

According to PNI Digital Media, the company handles over 18 million transactions a year across 19,000 retail locations and 8,000 photo processing kiosks. While the scope of this breach is still hazy, security experts say that it is a good example of the danger posed by third-party vendors, particularly those that touch sensitive customer records.

"In the age of the mega data breach, you will be judged by the company you keep," says Adam Levin, co-founder of IDT911 and the former director of NJ Division of Consumer Affairs. "Vendors need to be vetted as rigorously as senior management, and there can be zero-tolerance for poor security protocols."

This case in particular brings to light the challenges that traditional retailers face when trying to build out digital and e-commerce services delivered through kiosks and other on-site services.

"The integration of eCommerce services and bricks and mortar retail introduces a unique challenge to security teams, particularly when the service provided is via third party which collects payment information and customer interaction," says Ken Westin, security analyst for Tripwire, explaining that ensuring the security of third-party vendors is not always possible without extensive and continuous auditing, which is frequently not practical.

"Attackers are well aware of this and spend a great deal of time not only understanding their targets’ network architecture, but also other potential channels into these networks and customer data such as through third party providers," he says.

Retailers have been hard hit by third-party lapses of late, as experts point to third-party breach connections in incidents at Goodwill, Lowe’s, Dairy Queen, Home Depot, and Target in the past few years. But this recent breach is different because the vendor might be found liable, says Igor Baikalov, chief scientist for Securonix.

"The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it," Baikalov says. "The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).