CVS: Photo site user info possibly stolen in July hacking

NEW YORK (AP) - CVS said Friday investigators have confirmed the company that manages their photo website was indeed hacked this summer, possibly resulting in the theft of some CVS customer information.

The photo website of the nation's second-largest drugstore chain has been shut down since July after the breach was detected. The photo sites of Rite Aid, Costco and Wal-Mart Canada also were affected in the breach.

CVS Health Corp. said it started contacting potentially-affected customers on Friday. A spokesman for the Woonsocket, Rhode Island-based company wouldn't say how many customers were being notified, or comment beyond the note to consumers posted on CVS' photo website.

The company's main CVS.com website, the computer system used by its pharmacies, its optical website and its MinuteClinic online bill pay site, all were not affected by the breach. Sales made in CVS stores also were not affected.

The Rite Aid and Wal-Mart Canada sites also remained down Friday afternoon, while the Costco site has restarted limited operations.

Staples Inc., the parent company of Canada-based PNI Digital Media, which manages all of the sites, says based on its investigation so far, it appears the hackers breached PNI's computer systems and used malware to capture user information on the company's servers.

However, it says there's no sign that hackers accessed user photos or pin numbers.

"The company is working with outside security experts to determine the nature and scope of the incident, including what user data was impacted and the time period involved," Staples' statement read.