CVS recently shut down its online photo services after discovering that a potential data breach may have compromised customer credit card information.
The drugstore chain did not say how many customers may have been affected, but said the breach was limited to transactions made through CVSPhoto.com; those who have made transactions in-store and through CVS’s main site, CVS.com, are safe.
CVS issued the following statement alerting customers of the attack:
We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience.
Customers who provided credit card information for transactions on CVSPhoto.com are advised to check their credit card statements for any fraudulent or suspicious activity and to call their bank or financial institution to report anything of concern.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com, optical.cvs.com, cvs.com/MinuteClinic on line bill pay and our pharmacies. Financial transactions on CVS.com, optical.cvs.com, cvs.com/MinuteClinic and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
For more information, call 1-800-SHOP-CVS.
The CVS hack comes on the heels of a massive cybersecurity breach at the US government’s Office of Personal Management compromised the information of 21.5 million people, resulting in the resignation of OPM chief Katherine Archuleta.
In recent years, large-scale retailers have become enticing targets for would be hackers. A massive breach at Target in 2013 put payment information of as many as 40 million people at risk. In March, Target paid $10 million to settle a class-action lawsuit stemming from that attack. A previous decision by a Minnesota judge opened the door for that suit, and potentially set a new precedent for retailers that fail to protect consumer data from hackers, Monitor correspondent Jaikumar Vijayan previously reported for Passcode.