[ISN] Security Flaw Exposes CVS Purchase Data

InfoSec News isn at c4i.org
Wed Jun 22 02:45:22 EDT 2005


The Associated Press
June 21, 2005

PROVIDENCE, R.I. -- A security hole that allowed easy access to the
purchase information of millions of CVS Corp.'s loyalty card customers
prompted the company to pull Internet access to the data on Tuesday.

The Woonsocket-based drugstore chain, which has issued 50 million of
the cards, said it would restore Web-based access to the information
after it creates additional security hurdles.

The data security flaw in the ExtraCare card service was exposed
Monday by the grassroots group Consumers Against Supermarket Privacy
Invasion and Numbering, or CASPIAN.

It said anyone could learn what a customer had purchased with an
ExtraCare card by logging on to a company Web site with the card
number, the customer's zip code and first three letters of the
customer's last name.

Once logged on, a list of recent purchases could be sent to an e-mail
account. Information about prescriptions was not provided, and the
list of purchases was only available by e-mail.

CASPIAN director Katherine Albrecht said a test she conducted showed a
list of possibly embarrassing purchases, including condoms and a home
pregnancy test kit, the date they were purchased and how much they

Albrecht applauded the company's move to make the data more secure but
said she was still concerned.

"This underscores the amount of data _ the very sensitive data _ about
us that CVS has been collecting," she said.

Eileen Howard Dunn, a CVS spokeswoman, said the company provides the
information as a service to customers. She emphasized that
prescription information was not available. CVS said the service had
been in place about 6 months.

"There's no material medical information on there at all," said Dunn,
and CVS said only a very small number of customers had used the
service. Spokesman Todd Andrews said CVS was working quickly to put in
place either password protection or some other security measure.

Until then, customers can get the information by calling customer
service, he said.

CVS said the company had no knowledge of anyone gaining access to
customer information improperly. Andrews said customers' Social
Security and credit card numbers were not posted and the information
that was available could not lead to any identity theft.

CVS has 5,400 stores in 36 states and the District of Columbia.

More information about the ISN mailing list