Computerworld - Drugstore chain CVS Corp. has temporarily disabled a feature on its Web site after concerns were raised that unauthorized persons could improperly obtain customer-purchase records via e-mail.
In a statement, Woonsocket, R.I.-based CVS acknowledged that it has turned off the feature that let registered users of its CVS ExtraCare loyalty cards request copies of their purchase data via e-mail and track purchases made under flexible spending accounts (FSA) set up through their employers.
The problem, said Katherine Albrecht, founder and director of the privacy advocacy group Consumers Against Supermarket Privacy Invasion and Numbering, is that anyone can access a cardholder's purchase records if they have the user's 11-digit account number, ZIP code and the first three letters of his last name.
As part of its ExtraCare FSA records, CVS collects and stores data such as the time and date of purchases, the items bought, store locations, universal product codes and customer names, Albrecht said. "The biggest issue is, why does CVS have all this data on the site in the first place?" she added.
CVS officials didn't respond to several requests for comment. But in its statement, the company said the online feature was designed to provide customers with "easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items."
The information stored on the Web site doesn't include prescription purchases, nor does it include Social Security or credit card numbers, which could be used for identity theft, CVS added.
"The security procedures implemented to protect information ... accessed for FSA-related customer needs have been carefully designed, and we believe [they] are effective," the retailer said in the statement. CVS noted that it has received "absolutely no indication" from any cardholders that information has been improperly accessed.
Nevertheless, CVS said it won't restore the FSA-tracking feature until it has developed "additional security hurdles for accessing this purchase information."
Read more about Privacy in Computerworld's Privacy Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Simplifying Product Design In A Complex World Product design engineering has moved far beyond the confines of ever-more powerful workstations. Companies can't afford to restrict projects to using only local...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!