Privacy group accesses data from loyalty web site
A consumer privacy group was recently able to access loyalty card data from CVS's ExtraCare web site: CVS has temporarily prevented members from accessing their details until a patch has been applied.
Katherine Albrecht, founder and director of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), asked volunteer reporters to sign up for a CVS ExtraCare card and purchase health-related items. Then, knowing and using their card numbers, surnames and zip codes, she accessed the US-based pharmacy chain's ExtraCare web site and requested that the company send a list of items that they had purchased to a temporary email account she had set up for the purpose. In each case, CVS responded within 24 hours, sending her the lists detailing purchases.
In reply to The Wise Marketer's questions, CVS sent us the following statement, which we publish in full:
CVS's statement "The CVS ExtraCare website was developed to give customers easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items. The information contained on the web site does not include prescription purchases. The information does NOT include social security numbers, credit card numbers or any other information that could lead to identity theft.
In order to utilise this web-based information, customers need to input their last name, their zip code and their eleven-digit ExtraCare cardnumber. Customer names or addresses are not printed on ExtraCare cards. Full ExtraCare card numbers are not printed on receipts. The security procedures implemented to protect information which is accessed for FSA-related customer needs have been carefully designed and we believe are effective. We have received absolutely no indication from any of our ExtraCare cardholders that this information had been improperly accessed.
However, a recent press report has highlighted a means to gain unintended access to customer purchase information. In light of our absolute commitment to customer privacy, we are in the process of creating additional security hurdles for accessing this purchase information. Until those measures are in place, FSA-related information will not be available on our website."