CVS Photo Website Credit Card Information Possibly Stolen in Breach

CVS' online photo service remained shut down Friday, a day after the company acknowledged that it may have been hacked and that credit card information may have been stolen from it.

The US' second-largest drugstore chain said the site was switched off as a precaution and that it has also sealed off related mobile device apps.

Woonsocket, Rhode Island-based CVS Health Corp. said Friday that payment information on the site is collected by an outside vendor, which it identified as Canada-based PNI Digital Media. It added that the information is kept separate from its main CVS.com website and the computer system used by its pharmacies.

Payments made through CVS.com and in CVS stores - including in-store photo kiosks - are not affected.

Neither CVS nor Staples Inc., PNI's parent company, would say how many customers could potentially be affected, both adding that they have investigations under way and will release information as it becomes available.

Adam Levin, chairman and founder of the security firm IDT911 Consulting, said outside vendors have all too often proved to be the weak link when it comes to a company's data security.

"Businesses need to get the big picture and make sure that they hire vendors that have a track record of strong security practices, or demand from their vendors adherence to the toughest security standards," Levin said in an email.

The news of the CVS breach broke about a week after Wal-Mart Stores Inc. announced that it's investigating a possible theft of credit card data from its Canadian photo website, which also is served by PNI.

Similar to CVS, the discounter said it has no reason to believe that its main Canadian and U.S. sites, or any in-store transactions, were affected by the potential theft, which was first disclosed July 10.

It urged its Canadian online photo customers to carefully monitor their credit card transactions and immediately report any fraudulent charges to their financial institutions. The site remains shut down.