Costco Photo Breach Makes Us Wonder Who Cares About CyberSecurity

by J. Colin Petersen, President & CEO: Last summer, my wife went to the Costco website to upload photos of the kids to get prints for Grandma. Instead of a 3×5 of the flying waffle breakfast sandwich, she got a message that the site was unavailable. The 2015 Costco photo breach made us wonder who cares about cyber security any more.

If you’ve read even a few of the articles on the J –  I.T. News, you know that my team stays on top of technology and security news. It was the first any of us had heard about this breach. There was no email, nothing on the main page, and not even a push notification on their app. You had to go to the site to find out that they’d been hacked and that your credit card information was potentially compromised on July 17th, 2015.

Costco photo hack website breach

There were a few news stories about it around July 20th, 2015 but nothing that even made the front page of Google Technology news. Mashable had no interest. The Twittersphere reported on it, mostly technology firms sharing news article links with the #cybersecurity hashtag, but the usual complaint storm you see on Twitter for any retailer wrong-doing was oddly absent. Eventually outlets like GeekWireand Hacked started reporting on it in September.

Two weeks later, the site was still down. As were the photo printing pages for CVS, RiteAid, Sam’s Club, WalMart in Canada, and British supermarket chain Tesco. They all had a message very similar to that of the Costco photo page, “Sorry, we’ve been potentially hacked. As a precaution, we’ve temporarily shut down access to online photo services.”

Why Does No One Care?

They shut it down and no one complains? Do people not get their photos printed anymore? Or are we now just completely numb to the implications of yet another hack? I find it astonishing that there isn’t any appreciable complaining, grumbling, or even much discussion about it still being down after nearly three weeks. We expect to get everything, instantly, whenever we want it. If you’re a regular Costco photo printer, you’ve got to find an alternative to your usual routine. That makes it not instant any more.

I get it that with digital photos, you no longer have to get them printed, but there are still plenty of people who do want the best of their snapshots in physical form. The online photo printing business is expected to hit nearly $8 billion in sales in 2016. That’s a lot of 15 cent 3×5 prints.

CVS, Walgreens, Costco, Sam’s Club … these are all extremely user-friendly, convenient ways to get your photos printed. You have a one-time set up and then you just use your mobile device to upload pictures. Pick them up on your next trip. Easy! That’s why I’m surprised there’s so little complaining about these major retail services being shut down.

Maybe no one cares about the Costco photo breach because they still have the option of going to Shutterfly and Snapfish, so I guess that makes it okay? Except that’s not the point! The point is that hackers have once again broken into a system to steal your information. Once again, your personal info is at risk.

The first few articles called it a “possible breach” of user accounts. Later articles confirmed that the hackers were after names, addresses, phone numbers, photo account passwords and credit card information.

Look, they were after your credit card information. They don’t care about your photos. No one needs to get a job in a photo lab anymore to creep out on private pictures because you can find every conceivable body part you can imagine (and a few you don’t want to) on the internet. Besides, today’s Millennials just let it all hang out on Instagram and Facebook anyways. They don’t care who’s looking.

Vet Your Vendors

There’s another layer to this that’s important to businesses. I feel for Costco, CVS, RiteAid and all these retailers. They wanted to provide their customers with a convenient and cost-effective service by outsourcing their photos to a specialized, third-party vendor.

They trusted that vendor, PNI Digital Media, to provide the service and protect their clients. Instead, they got hacked and Costco was now on the hook for a third-party vendor.

Was PNI negligent? PNI digital media third-party photo printing vendorOr careless? Probably not any more than any other large (or small) business out there that isn’t sufficiently paranoid about their digital security. The more concentrated the data, the more sources of information that are feeding into your organization, the more they want to break in. I can really only blame PNI for not thinking that they would be such a juicy target. They probably were thinking, “No one needs to look at all these pictures when most of them are already on the Internet.” No, no one needs to break into anything anymore to see naked booty photos. Kim Kardashian has completely solved that problem.

You must assume that nearly every breach is about the money. Lots of money, all in one place. Look at the breach of LastPass (a password management service) in June of this year. The hackers are getting lazier. Why spend time digging into individual systems when they can go straight to the motherload of compiled information?

But don’t think this makes you, the small business owner, safe. You’re still at risk: probably even more so because you depend on third-party vendors, all of whom are a great source of accounts, and you’re a target for the local thief. And by local thief, I mean your employees and past employees. But that’s a topic for another day.

Don’t Assume; Ask Questions

For right now, the lesson to take from this is that you CANNOT ASSUME your third-party vendors and service providers have a perfect grasp on security. You must vet your vendors. You must ask them uncomfortable questions about their security and backup practices. If they’re on it, they’ll welcome your questions. If they’re missing something, but they’re consciously trying to improve on it all the time, they’ll appreciate your questions.

If you don’t know what to ask, find someone who does. As a Business Technologist, it’s what I do. I ask the hard questions and I welcome them. Got some? Feel free to contact me at 559-485-4335.

Update: There is now a class-action lawsuit against PNI.