PNI Digital Media Was A Third Party Entry Point Into Big Retail: CVS, Walmart, Possibly Others

Update: PNI Digital media is facing multiple class action lawsuits, according to Law 360 and Class Actions Reporter. One suit is centered on CVS in the state of Georgia; the other suit is focused on Costco which was filed in the state of Washington.

Between the news of hackable cars, the Ashley Madison breach, and further revelations from the nefarious Hacking Team, a rather worrisome bit of cybersecurity news has been overlooked. Last week, CVS shut down its photo processing site over concerns that it had been hacked. Shortly thereafter, Walmart announced that it would be shutting down its photo processing site in the U.S. after it had reported a similar photo processing breach in Canada. The same action was followed swiftly by Costco, Rite-Aid, and Tesco.

As it turns out, each company was using the same third-party vendor, PNI Digital Media, to handle their photo-processing services. The methodology of the breach is unclear, and it is still unknown if any PII (Personally Identifying Information, e.g. credit card numbers) was stolen, but this breach is illustrative of the risks that continue to plague retailers nearly two years after hackers struck Target.

The story of Target seemed like an outlier at first. Hackers initially broke in using stolen network credentials stolen from an HVAC vendor. Home Depot, Lowe’s and other retailers have experienced other breaches expedited via third-party vendors. This form of attack is only expected to increase. One of the reasons for the increase in vendor-based attacks is due to increased security in other areas.

Starting in 2014, U.S. credit card infrastructure began a shift to EMV or “chip and pin” technology. In theory, this technology makes directly attacking a retailer less feasible, as it will prevent a credit card from being simply cloned by a compromised POS terminal. In practice, EMV wouldn’t prevent hackers from carrying off a more sophisticated attack, but the increased difficulty will cause many intruders to seek out softer targets. “Softer targets,” in this case, means third-party vendors. Some of them are almost criminally easy to breach. In the case of the Target hack, the third-party vendor in question was protecting their entire company using free antivirus software designed for individual home users.

Target gave many of its vendors credentials that would allow them to directly access the server that handles Target’s payment-processing system. This system was not sufficiently segmented from the rest of Target’s network. Once the hackers had access to one part of Target’s system, they had access to all of it. Target could have one done any of three simple things – monitored the security practices of its vendors, required stronger authentication to access its payment portal, or segmented that portal from the rest of its system – and completely avoided one of the largest breaches in recent years.

The recent events concerning PNI Digital Media show that lessons from the Target breach may have not yet been adequately learned. Again, there’s not yet any evidence that PII was lost, nor do we know exactly how the breach was carried out. However, it is still possible to make some inferences. First of all, by hacking one company, attackers were able to grab data from no fewer than five mega-retailers. This suggests that at least one of these companies weren’t keeping their data adequately segmented. Second of all, PNI is owned by Staples, which suffered a security breach in late 2014. Therefore, this could be a case where retailers failed to adequately vet their third-party vendors, especially if PNI didn’t fix security holes that were present in its parent company.

A Closer Look at the Initial PNI Breach With Walmart

SecurityScorecard’s Chief of Research, Alex Heid, looked into the initial news of this third party breach when the Walmart in Canada breach news broke. With Walmart’s breach, Heid discovered the following:

The indicators of vulnerability that stand out the most are the use of an antiquated AspX CMS system that contained many dynamic parameters. Any single misconfiguration of a single parameter could result in a potential SQL injection.

The business use case of the Walmart Photocentre website is to enable customers the ability to upload digital photographs through the web interface. Image gallery upload exploitation is one of the more common forms of web application attacks, whereby the attackers take advantage of an misconfigured upload form. Attackers will try to upload malicious code instead of an image, and attempt to get the code to execute.

Many image upload forms have protections in place, such as file extension restrictions. However, there are many ways in which attackers are able to bypass these restrictions, such as with file format bugs. These types of attacks are also more common in legacy systems. Walmart has not released the attack vector that was used, this information was gleaned through an external security posture analysis of what remains online of WalmartPhotocentre.ca. The image below shows multiple MS Dynamix ASPX URLs indexed by Google.

Breach forensics is a slow process, so it will likely be weeks or months before we get the full picture of the PNI attack. Depending on the outcome, this could be the breach that finally forces large companies to stop letting history repeat itself.

“Advice to businesses going forward are to ensure that third party vendors who rely on legacy systems are adequately protected through the use of additional security controls, such as Web Application Firewalls (WAF), / Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS),” said Heid.