Walmart Canada has told customers who used its photo centre from June 2014 to July 2015 that their credit card data and other personal information has been compromised.

Last July, the retailer took down the photo centre website and mobile applications operated by PNI Digital Media, based in Vancouver and owned by Staples Inc. It also notified those who used the photo centre during the period of a possible data breach.

In new emails dated Nov. 4, Walmart said its investigation showed an unauthorized party used “malware” – or malicious software – on some of PNI’s servers supporting its retail clients, including some servers that hosted the Canadian photo centre site.

“The malware is designed to collect credit card and other personal information customers provide when placing an order, including name, email and account password. The malware is not designed to capture images or photos uploaded by customers or to capture a customer’s PIN (personal identification number),” the company said.

“At this point, we are not able to confirm whether any personal customer information potentially collected by the malware was misused by a third party.”

The emails, signed by Walmart Canada Photo Centre Team, told customers to contact their financial institutions if they saw irregular credit card activity and change the passwords used at other sites if they were the same as at the Walmart photo site.

“We sincerely apologize for the inconvenience this has caused and thank you for your patience,” the email said.

Surprisingly, Walmart did not provide access to a free credit monitoring service to customers whose privacy was breached. This has become standard practice for retailers.

Home Depot Canada, for example, gave customers one year of protection with Equifax Canada after private data was compromised in 2014.

Target Canada, now out of business, also offered a free year of credit monitoring after a data breach in late 2013.

Walmart Canada stopped running its own online photo centres and hired PNI Digital media last year. This led to delayed production of Christmas cards and albums ordered from Nov. 1 to Dec. 14, 2014.

“We realize this is not the service customers have come to expect from Walmart,” spokesman Alex Roberton told me last January.

Walmart gave full refunds to clients whose photo orders were delivered after Christmas – and offered 100 free prints and a $100 photo credit to those with late orders delivered before Dec. 24.

Eric Bouchard placed his photo order last December and sought my help to get delivery in January. He contacted me again last July.

“On top of really bad service from the Walmart photo centre last holiday season, now they have their credit card data stolen,” he said. “This may give them a good lesson that using third parties to save money is not always the best way to go.”

Other retailers that used PNI Digital Media – such as Rite-Aid, CVS and Costco in the U.S., plus Tesco in Britain – also took their photo processing sites offline last July.

Exploiting uploads to an image gallery is a common form of Web attack, said an article at the Techvibes websiteabout the Walmart data breach.

“Attackers will try to upload malicious code instead of an image and attempt to get the code to execute. What we do know is that by hacking one company, attackers were able to grab data from no fewer than five major retailers.”

I could not reach a Walmart Canada spokesperson after several attempts. I found the media link at its website was not working.

A customer said she called the head office in Mississauga (905-821-2111) many times this week to ask for the executive escalation team. She heard only a message to leave a voicemail or many rings with no pickup.

Loading... Loading... Loading... Loading... Loading... Loading...

The Walmart data breach may affect 750,000 Canadians, an informed observer told me. It’s potentially bigger than the Medicentres incident in Alberta, when a laptop with the private health information of 620,000 patients was stolen last year.

My view: Walmart is the world’s largest retailer. As Roberton said last July, this is not the service customers expect. The company should do more to show it’s sorry for exposing their private data to hackers.

Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca or www.ellenroseman.com

Read more about: