Costco is telling customers they can start ordering photos online again, seven weeks after a security breach at a third-party hosting company forced it and several other photo ordering sites to go down in mid-July.
The Issaquah, Wash.-based big-box retailer says customer photos weren’t compromised in the hack, but the company warns in an FAQ, “At this point, we believe that the credit card information of a small percentage of Costco members was captured.”
Costco’s FAQ continues, “Users placing orders for warehouse pick-up may have had their username and password compromised. Users placing mail orders for home delivery may have had their credit card information, mailing address, as well as username and password compromised.”
The hack targeted PNI Digital Media, a Vancouver, B.C.-based company owned by Staples that handles online photo ordering for several sites. Costco reports the company was compromised for over a year, between June 2014 and July 2015.
Sam’s Club, CVS, Rite Aide in the U.S. and Walmart in Canada were also affected. They each had a message to customers posted on Monday morning that said their photo services had not been restored yet.
Costco is telling customers it has completely rebuilt its site and is holding off on certain features, like its mobile app and certain personalized products, until it can roll out additional security measures within the next couple of months.
Other features on the site still had bugs on Monday. GeekWire was able upload photos for prints and make a custom calendar, but the photo book making tool didn’t work. Thanks to the reader who pointed this out in the comments below.
Costco is giving widespread discounts and free expedited delivery on all orders as a “welcome back offer.”
“Let us begin by apologizing for all of the inconvenience, frustration and concern created by taking the Costco Photo Center offline,” reads a message to customers on the site Monday morning. “We recognize the value our members place on their memories, and we are very sorry for the lengthy downtime experienced on our site.”
It’s hard to quantify the impact of a breach like this. Costco and others haven’t been able to sell photo prints online for more than a month, but the more painful fallout may come in the form of lost customer loyalty and trust.
PNI Digital has not responded to several GeekWire interview requests for past articles. Cached versions of the company’s contact page from July, when the hack was originally discovered, contained phone numbers and a contact form. As of Monday morning, the same page contained just a corporate mailing address. PNI Digital didn’t respond to several phone calls on Monday, but we will update this post if and when we hear back.
According to a company timeline, PNI Digital was founded in 2001 and is now used in 19,000 retail locations, counting over 18 million transactions.
Here is Costco’s complete message to customers.