NEW YORK — CVS Photo, the popular website that allows users to upload digital images and pick up prints at the pharmacy, appears to have been hacked.
Customer credit card data “may have been compromised,” the pharmacy explained. In cases like these, it’s typically hackers who break in and steal large batches of payment information.
On Friday, the company shut down CVSphoto.com and its smartphone app. The website appeared blank with a message from CVS. The company places responsibility squarely on a contractor that ran the service.
CVS did not name the other company.
However, CNNMoney tracked it down. It’s a Vancouver-based company called PNI Digital Media.
On Friday afternoon, PNI told CNNMoney it is now “investigating a potential credit card data security issue.”
PNI is currently a subsidiary of Staples, which itself was hacked last year and lost 1.2 million credit cards. PNI did not immediately reply to CNNMoney’s questions.
The pharmacy made clear that its photo printing website is completely separate from its medical and pharmaceutical business, so patient data isn’t likely affected.
CVS said it’s now investigating the matter to determine what, if anything, was actually stolen.
CNNMoney asked the pharmacy whether hackers might have also stolen photos customers uploaded, but CVS did not immediately reply.
In what’s become the mantra of every hacked company, CVS also issued this statement: “Nothing is more central to us than protecting the privacy and security of our customer information, including financial information.”
The company posted a statement on its website:
We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience.
Customer registrations related to online photo processing and CVSPhoto.com are completely separate from CVS.com and our pharmacies. Financial transactions on CVS.com and in-store are not affected.
Nothing is more central to us than protecting the privacy and security of our customer information, including financial information. We are working closely with the vendor and our financial partners and will share updates as we know more.
For more information, call 1-800-SHOP-CVS.