CVS Addresses Loyalty Card Security Breach

Drugstore chain CVS discontinued a pharmacy-tracking service for its ExtraCare cardholders after a consumer privacy watchdog group found a way to access sensitive purchase data.

The service let cardholders with flexible spending accounts (through their employers) keep track of their CVS purchases online in order to be reimbursed by their employers. Users swiped their ExtraCare card at checkout to record all purchases, then could request proof of their purchases via e-mail to submit for reimbursement.

Watchdog group Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) breached the system, accessing consumers’ purchase history with a CVS card number, ZIP code and first three letters of the cardholders’ last name.

CASPIAN Director Katherine Albrecht asked volunteers to register for an ExtraCare card and then buy health-related items. Using their card numbers and ZIP codes, Albrecht went to CVS’ Web site and requested that the company send a list of purchased items. Data was sent within 24 hours to Albrecht’s e-mail account, including type of products purchased (including condoms, a home pregnancy test kit and enema kits), UPCs, purchase date and price.

Woonsocket, RI-based CVS shut down the service but plans to resume once security is tightened, according to news reports. CVS has issued about 50 million ExtraCare cards, but only a small fraction of shoppers use the flexible spending account service. There have been no reports of data being stolen through the service.