PNG Digital Media, a vendor based in Vancouver responsible for the hosting of photo processing websites of CVS and Walmart Canada may have been breached and leaked millions of customers’ credit card details, the New York Times reported.

According to the same report, Walmart’s photo-processing website which is also hosted by the same vendor isn’t believed to be affected. Similarly, neither of Walmart’s main websites in the United States nor Canada are affected, according to Marilee McInnis, a company spokesman.

She stressed that Canadian authorities along with regulators have been notified of the attack and added that: “Our customers’ privacy is of the utmost importance. We immediately launched an investigation and will be contacting customers who may be impacted.”

Costco’s photo website has been taken down too, with the retailer putting out a statement on the website saying, “As a result of recent reports suggesting that there may have been a security compromise of the third party vendor who hosts Costcophotocenter.com we are temporarily suspending access to the site.”

Another Pharmacy and Healthcare organization breached.

CVS has shut down its online photo center since Friday and has notified customers who have previously visited CVSPhoto.com that the third party vendor PNG Media is likely to have suffered a credit card breach.

“We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” CVS said in a statement on the photo website. “As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience.”

Vendors are easy targets

Security researchers believe that data breaches are among the biggest threats to customer privacy and they only reinforce the importance of stringently vetting information technology vendors. Many security experts believe that vendors are often the weakest link.

“Breaches have become a certainty in life, and everybody’s got to step up their game,” said Adam Levin, founder of security firm IDT911. “Even if the problem stems from a vendor, the retailer’s reputation is harmed, and it ends up in the middle of lawsuits.”

Staples owns the Canadian technology vendor PNI Digital Media and the office-supply chain store itself was the victim of a hack last year.