CVS ends Web site feature over privacy concerns
An unauthorized person could track other customers' purchases by e-mail
Computerworld - Retail drugstore chain CVS Corp. has temporarily disabled a feature on its Web site that allowed an unauthorized person to improperly obtain customer purchase records via e-mail.
In a statement yesterday, Woonsocket, R.I.-based CVS acknowledged that it had disabled a feature that allows registered users of its CVS ExtraCare loyalty cards to track purchases made under "flexible spending accounts" (FSA) set up through their employers. The loyalty cards offer discounts to shoppers who register for the cards and allow CVS to gather information about their purchases.
More than 50 million customers use its ExtraCare loyalty cards, CVS said.
The problem with the ExtraCare cards, said Katherine Albrecht, founder and director of the Web-based consumer group CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), is that anyone can access a cardholder's purchase records if they have the user's 11-digit account number, ZIP code and the first three letters of their last name. Such scenarios could occur, she said, when an ExtraCare cardholder takes his car to a mechanic and hands over their keys -- including the ExtraCare key ring card that has a printed account number on it.
As part of its ExtraCare FSA records, CVS collects and stores data about a cardholder's purchases, including the time and date of the purchase, items purchased, store location, universal product code and the customer's name, Albrecht said. Cardholders could go to the CVS ExtraCare Web page and request a copy of their FSA purchases via e-mail, but the feature was disabled this week.
"The biggest issue is why does CVS have all this data on the site in the first place?" Albrecht said.
CVS didn't respond to several requests for comment. But in its statement, the company said the online feature was designed to provide customers with "easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items."
The information on the Web site doesn't include prescription purchases, nor does it include Social Security numbers or credit card numbers that could lead to identity theft, the company said.
"The security procedures implemented to protect information ... accessed for FSA-related customer needs have been carefully designed, and we believe are effective," the statement said. "We have received absolutely no indication from any of our ExtraCare cardholders that this information had been improperly accessed."
CVS said it won't bring the FSA feature back until it has created "additional security hurdles for accessing this purchase information" online.
CASPIAN is a grass-roots consumer group that has opposed retail surveillance efforts since 1999.
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts