The most recent Walmart data leak occurred in January 2021, when a security flaw on the Walmart Canada website left customer information exposed to unauthorized individuals. As of October 2023, no Walmart breaches have been reported since this incident.
In this article, we’ll walk through a full timeline of Walmart data breaches, starting with the most recent.
January 2021: Website Security Flaw Exposes Customer Information
In January 2021, news broke of a security flaw on the Walmart Canada website that left customer data accessible to unauthorized persons. A vulnerability associated with the order lookup section of the website was discovered by a customer, and the exploit allowed for the viewing of customer information, including names, addresses, order dates, order contents, methods of payment, and the last four digits of credit cards.
Initially, the customer attempted to report the flaw, but attempts to contact Walmart Canada were unsuccessful. The customer then reached out to a local news organization, which replicated the issue and, after confirming the customer was correct, was able to contact Walmart.
Walmart Canada set up a redirection to another page soon after, likely to research a solution. The same vulnerability was also identified on another related page, and the same redirection was used there.
It isn’t clear whether any of the involved customer data was collected by malicious actors or how many customers were made vulnerable due to the issue.
March 2019: Vendor Employees Investigated for Snooping on Internal Walmart Emails
In March 2019, news broke that employees of a third-party Walmart vendor were being investigated for accessing internal Walmart emails without authorization. The provider in question was Compucom, a technology contractor that was acquired by Office Depot in 2017. Compucom employees were listed in a search warrant filed by the FBI, and were accused of reviewing internal Walmart communications to find information that could give Compucom an edge over competitors when submitting contract bids.
According to reports, the email snooping began in late 2015 and continued through early 2016. One Compucom employee allegedly relayed information he discovered in Walmart company emails through his personal email account.
The activity was discovered when a Compucom employee took a picture of an internal Walmart message discussing a disciplinary matter. The photo was sent a Walmart employee he’d spoken with, and the image was then mistakenly forwarded to the daughter of another Walmart employee, who reported the incident.
March 2018: Walmart Partner Exposes Data on 1.3 Million Customers
MBM Company – which operated Limoges Jewelry, a Walmart Partner – exposed data on 1.3 million customers after leaving an Amazon S3 bucket publicly accessible. The issue was discovered by a cybersecurity firm, which initially believed the leak involved data managed by Walmart. However, it was determined that MBM Company was behind the leak.
Within the database, a significant amount of personally identifiable information (PII) on customers was available. Records included names, addresses, phone numbers, emails, and plaintext passwords of more than 1.3 million American and Canadian customers of Walmart and a few other major retailers, including Amazon and Target.
Some of the records dated back to 2000, but others were as recent as early 2018. Those researching the data believed it was possibly a primary customer database for MBM Company.
July 2015: Walmart Canada Third-Party Vendor Breach Exposes Credit Cards Numbers
In July 2015, Walmart Canada and CVS announced a potential data breach involving a Canadian third-party tech vendor that potentially exposed the credit card information of customers. The vendor was connected to the photo processing portion of the two companies’ websites, and the breach potentially impacted millions of customers.
The third party in question was PNI Digital Media, which was owned by Staples and hosted the photo processing sites, and collected related customer payment information. In response, the retailers disabled the photo processing portions of their sites and mobile apps.
October 2009: News Breaks of Stolen Walmart Point-of-Sale System Source Code
In October 2009, reports emerged of a hack impacting Walmart’s point-of-sale system source code. The incident reportedly occurred in 2005 and 2006, when hackers focused on the development team in charge of the point-of-sale system’s development. The source code – along with other sensitive data – was sent to a computer in Belarus.
Walmart was aware of the breach far before news of it emerged. The retail giant considered it an internal issue, as no sensitive customer data was involved. Walmart took action once the problem was detected in 2006, including reporting the incident to federal law enforcement, which was also investigating similar breaches that occurred around the same time.
Walmart discovered the breach following a server crash. While examining the server, a password-cracking tool was found on the system, and that program is what led to the crash. The tool was found to have been installed remotely, and the hacker gained access through a VPN account associated with a former employee that wasn’t properly closed after the worker’s employment at Walmart ended.
After disabling the VPN account, the hacker attempted entry through a second VPN account that was assigned to a different employee. When that VPN was closed, an attempt with a third account was made. During the investigation, evidence appeared showing more than 800 machines were potentially targeted by the hacker since June 2005.