In the modern technological era, data breaches have become a common occurrence that threatens the security and privacy of individuals and organizations alike. Walmart, one of the largest retail corporations in the world, has been no exception to this trend.
Over the years, Walmart has experienced several high-profile data breaches, resulting in the exposure of sensitive data belonging to millions of its customers and employees.
To prevent such data breaches from occurring in the future, Walmart has since taken several steps to enhance the security measures of its network.
The company has invested in new technologies, such as machine learning algorithms and advanced analytics tools, to detect and prevent cyber-attacks.
It has also implemented stricter access controls, requiring stronger passwords and multi-factor authentication for employees and vendors who access its systems.
Despite these efforts, Walmart continues to face threats from cyber-attacks, highlighting the ongoing challenges that companies face in protecting their data from sophisticated attackers.
The company’s experience underscores the need for all organizations, regardless of size or industry, to prioritize data security and implement robust security measures to safeguard their sensitive information from being exposed.
Below is the list of all Walmart data breaches with the timeline.
Table of Contents
January 2021 – Walmart Data Breach
Customer data on the Walmart Canada website was accessible to unauthorized persons due to a security flaw that was reported in January 2021.
An individual discovered a vulnerability in the order lookup section of the website, which enabled the viewing of customer details such as names, addresses, order dates, order contents, payment methods, and the last four digits of credit cards.
Initially, a customer tried to notify Walmart Canada of the defect but was unable to get in touch with them. Subsequently, the customer contacted a nearby news outlet, which verified the problem and ultimately managed to get in touch with Walmart after confirming the customer’s claim.
Walmart Canada quickly set up a redirection to another page, presumably to investigate a solution, after identifying the same vulnerability on a related page.
However, it is uncertain if any customer data was obtained by malicious individuals or how many customers may have been exposed to the issue.
March 2019 – Walmart Data Breach
In March 2019, reports surfaced that an investigation was underway regarding the unauthorized access of internal Walmart emails by workers of a third-party vendor of Walmart.
The vendor in question was Compucom, a technology contractor that was purchased by Office Depot in 2017.
The FBI included the names of Compucom staff in a search warrant, alleging that they had examined Walmart’s internal communications to gain an advantage over rivals while submitting contract proposals.
It has been reported that the act of snooping through emails started in late 2015 and lasted until early 2016. It is alleged that an employee of Compucom shared information found in Walmart company emails using his personal email account.
An employee from Compucom stumbled upon the activity after taking a photo of an internal message from Walmart that discussed disciplinary action.
The employee then sent the photo to a Walmart colleague, but it was accidentally forwarded to another Walmart employee’s daughter, who then reported the incident.
March 2018 – Walmart Data Breach
Data on 1.3 million customers of Limoges Jewelry, a Walmart Partner operated by MBM Company, was exposed after an Amazon S3 bucket was made publicly accessible by the company.
Initially, a cybersecurity firm suspected that the data leak involved Walmart-managed data, but it was later discovered that the responsibility lay with MBM Company.
A considerable quantity of personally identifiable information (PII) of customers was present in the database, comprising names, addresses, phone numbers, emails, and unencrypted passwords.
The records pertained to over 1.3 million customers from the United States and Canada who shopped at Walmart and other prominent retailers like Amazon and Target.
The data being studied by researchers was believed to be a potential primary customer database for MBM Company, with some of the records dating back to 2000 and others as recent as early 2018.
July 2015 – Walmart Data Breach
Walmart Canada and CVS announced in July 2015 that millions of customers may have had their credit card information compromised due to a potential data breach involving a Canadian third-party tech vendor associated with the photo processing section of their websites.
Staples-owned PNI Digital Media, responsible for hosting the photo processing sites and gathering customer payment information, was the third party mentioned. As a result, the retailers decided to deactivate the photo-processing features of their sites and mobile apps.
October 2009 – Walmart Data Breach
In 2009, it was reported that Walmart’s point-of-sale system source code had been hacked. The hack is said to have taken place in 2005 and 2006, during which time the hackers targeted the development team responsible for creating the point-of-sale system.
The source code, as well as other confidential information, was sent to a computer located in Belarus.
Before news of the breach became public, Walmart was already aware of it and regarded it as an internal matter since it did not involve any sensitive customer data.
In 2006, Walmart took action to address the problem, including notifying federal law enforcement, which was already investigating other similar breaches that occurred during the same period.
After experiencing a server crash, Walmart detected a breach in its system. During their investigation of the server, they discovered a password-cracking tool, which was the cause of the crash.
Further analysis revealed that the tool had been installed by a hacker who had gained remote access to the system through a VPN account linked to a former Walmart employee. The account had not been adequately closed after the employee’s departure from the company.
Following the deactivation of the initial VPN account, the hacker endeavored to gain access through a secondary VPN account that belonged to another staff member. After the second VPN was terminated, the hacker made a third attempt using a different account.
The inquiry uncovered evidence suggesting that the hacker may have targeted over 800 devices since June 2005.