CVS Ends Online Service To Track Products Over Security Concerns
Drugstore chain CVS halted an Internet service that allowed customers with flexible spending accounts to track their CVS purchases after the company was notified that a security flaw could permit others to access customers' personal information, the Boston Globe reports.
The CVS service allowed consumers to track purchases that were eligible for reimbursement from their employer under FSAs. Purchases were recorded when customers swiped their CVS ExtraCare card at the time of a transaction. The information was stored in a database, and the customer could request a copy of the data via e-mail.
Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering, discovered that she could access customers' records and have them e-mailed to her by obtaining customers' CVS card numbers, their ZIP codes and the first three letters of their last names. Albrecht found she was able to identify when and where people bought items, including personal items such as condoms and pregnancy test kits.
CVS Vice President of Corporate Communications Eileen Howard Dunn said the company has issued about 50 million ExtraCare cards, but only a small number of cardholders use the FSA service. Howard Dunn added that the database did not include financial data, Social Security numbers or other information that could be used in identity theft. Howard Dunn also said there have been no reports that data were stolen.
Albrecht said, "CVS has got some very intimate information about their customers. We kind of took advantage of a little security loophole they had on their Web site."
Dunn said the service will resume after CVS upgrades its security procedures (Bray, Boston Globe, 6/22).