CVS Health has sent e-mails to customers of its former online photo service confirming that personal information may have been stolen by hackers earlier this summer.
The photo service, CVSPhoto.com, is managed and hosted by PNI Digital Media, a vendor owned by Staples Inc. CVS took down the site in June after learning about a possible breach.
The Woonsocket, R.I., company said Friday that investigators have learned that the site was indeed hacked and the data breach included credit-card information for some customers, as well as names, phone numbers, e-mail addresses, usernames, and passwords. CVS said it appears that the hackers did not steal any photographs.
CVS declined to say how many customers were affected. A spokesman said customers who had their credit-card information stolen will receive one year of free credit monitoring and identity theft resolutions services through Experian.
Staples said it is continuing to investigate the data security breach.
“While the investigation is ongoing, the results to date suggest that an unauthorized party entered PNI’s systems and was able to deploy malware designed to capture user input on PNI’s servers that support some of its customers’ websites,” said Kirk Saville, a Staples spokesman. “At this time, there is no reason to believe that the unauthorized party accessed photos or PIN numbers.”
The breach also affected other retailers.