Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Photo Processing Vendor Exposes CVS, Wal-Mart, Costco

Retail breaches highlight third-party risk -- again.

A breach announced last week by a third-party vendor that manages and hosts photo processing websites for retailers has left at least five major retailers reeling in the wake of the exposure. As reported last week, Wal-Mart and CVS were the first known affected organizations, but today news has trickled in that Costco, RiteAid, and British-based Tesco are all investigating potential incidents as well.

According to PNI Digital Media, the company handles over 18 million transactions a year across 19,000 retail locations and 8,000 photo processing kiosks. While the scope of this breach is still hazy, security experts say that it is a good example of the danger posed by third-party vendors, particularly those that touch sensitive customer records.

"In the age of the mega data breach, you will be judged by the company you keep," says Adam Levin, co-founder of IDT911 and the former director of NJ Division of Consumer Affairs. "Vendors need to be vetted as rigorously as senior management, and there can be zero-tolerance for poor security protocols."

This case in particular brings to light the challenges that traditional retailers face when trying to build out digital and e-commerce services delivered through kiosks and other on-site services.

"The integration of eCommerce services and bricks and mortar retail introduces a unique challenge to security teams, particularly when the service provided is via third party which collects payment information and customer interaction," says Ken Westin, security analyst for Tripwire, explaining that ensuring the security of third-party vendors is not always possible without extensive and continuous auditing, which is frequently not practical.

"Attackers are well aware of this and spend a great deal of time not only understanding their targets’ network architecture, but also other potential channels into these networks and customer data such as through third party providers," he says.

Retailers have been hard hit by third-party lapses of late, as experts point to third-party breach connections in incidents at Goodwill, Lowe’s, Dairy Queen, Home Depot, and Target in the past few years. But this recent breach is different because the vendor might be found liable, says Igor Baikalov, chief scientist for Securonix.

"The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it," Baikalov says. "The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-20
An issue was discovered in the Texas Instruments (TI) TM4C microcontroller series, such as the TM4C123. The eXecute-Only-Memory (XOM) implementation prevents code read-outs on protected memory by generating bus faults. However, single-stepping and using breakpoints is allowed in XOM-protected flash ...
PUBLISHED: 2019-08-20
The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.
PUBLISHED: 2019-08-20
The wp-all-import plugin before 3.4.7 for WordPress has XSS.
PUBLISHED: 2019-08-20
The moreads-se plugin before 1.4.7 for WordPress has XSS.
PUBLISHED: 2019-08-20
The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.