Security flaw in CVS Corp's loyalty card service exposes purchase data

June 21, 2005

By Michelle Smith, Associated Press

PROVIDENCE, R.I. -- A security hole that allowed easy access to the purchase information of millions of CVS Corp.'s loyalty card customers prompted the company to pull Internet access to the data on Tuesday.

The Woonsocket-based drugstore chain, which has issued 50 million of the cards, said it would restore Web-based access to the information after it creates additional security hurdles.

The data security flaw in the ExtraCare card service was exposed Monday by the grassroots group Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN.

It said anyone could learn what a customer had purchased with an ExtraCare card by logging on to a company Web site with the card number, the customer's zip code and first three letters of the customer's last name.

Once logged on, a list of recent purchases could be sent to an e-mail account. Information about prescriptions was not provided, and the list of purchases was only available by e-mail.

CASPIAN director Katherine Albrecht said a test she conducted showed a list of possibly embarrassing purchases, including condoms and a home pregnancy test kit, the date they were purchased and how much they cost.

Albrecht applauded the company's move to make the data more secure but said she was still concerned.

"This underscores the amount of data _ the very sensitive data _ about us that CVS has been collecting," she said.

Eileen Howard Dunn, a CVS spokeswoman, said the company provides the information as a service to customers. She emphasized that prescription information was not available. CVS said the service had been in place about 6 months.

"There's no material medical information on there at all," said Dunn, and CVS said only a very small number of customers had used the ervice. Spokesman Todd Andrews said CVS was working quickly to put in place either password protection or some other security measure.

Until then, customers can get the information by calling customer service, he said.

CVS said the company had no knowledge of anyone gaining access to customer information improperly. Andrews said customers' Social Security and credit card numbers were not posted and the information that was available could not lead to any identity theft.

CVS has 5,400 stores in 36 states and the District of Columbia.

main page ATTRITION feedback