CVS digital Photo printing
Customer credit card data "may have been compromised, " the pharmacy explained. In cases like these, it's typically hackers who break in and steal large batches of payment information.
On Friday, the company shut down CVSphoto.com and its smartphone app. The website appeared blank with a message from CVS. The company places responsibility squarely on a contractor that ran the service.
CVS did not name the other company.
However, CNNMoney tracked it down. It's a Vancouver-based company called PNI Digital Media.
On Friday afternoon, PNI told CNNMoney it is now "investigating a potential credit card data security issue."
PNI is currently a subsidiary of Staples, which itself was hacked last year and lost 1.2 million credit cards. PNI did not immediately reply to CNNMoney's questions.
The pharmacy made clear that its photo printing website is completely separate from its medical and pharmaceutical business, so patient data isn't likely affected.
CVS said it's now investigating the matter to determine what, if anything, was actually stolen.
CNNMoney asked the pharmacy whether hackers might have also stolen photos customers uploaded, but CVS did not immediately reply.
In what's become the mantra of every hacked company, CVS also issued this statement: "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information."