The statement stressed that prescription information was not disclosed, but it didn't indicate why the company thought that revealing a prescription antibiotic would be more damaging to a customer than revealing a contraceptive or pregnancy-test purchase.

"The CVS ExtraCare Web site was developed to give customers easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items. The information contained on the Web site does not include prescription purchases," the statement said. "The information does not include Social Security numbers, credit card numbers or any other information that could lead to identity theft."

The statement also discussed the initial security procedures and limits. "In order to utilize this Web-based information, customers need to input their last name, their ZIP code and their 11-digit ExtraCare card number. Customer names or addresses are not printed on ExtraCare cards. Full ExtraCare card numbers are not printed on receipts," the statement said.

"The security procedures implemented to protect information which is accessed for FSA-related customer needs have been carefully designed and we believe are effective. We have received absolutely no indication from any of our ExtraCare cardholders that this information had been improperly accessed."

The statement then alluded to Albrecht's interviews. "A recent press report has highlighted a means to gain unintended access to customer purchase information. In light of our absolute commitment to customer privacy, we are in the process of creating additional security hurdles for accessing this purchase information," the statement said.

"Until those measures are in place, FSA-related information will not be available on our Web site."

Stride Rite's CIO is a cautious fellow, and he's not so sure that today's IP networks are good enough. To read more about his concerns, click here.

An Associated Press report quoted a CVS spokesperson as saying that until Web access is returned, access to that purchase information will be limited to telephone customer service.

But when Ziff Davis Internet News called CVS customer service, they told a different story. Customer service referred the matter to the ExtraCare department.

A representative in ExtraCare said they are not permitted to provide the information even on the phone until new security procedures are put in place.

CVS spokesperson Michael DeAngelis said in an e-mail—received after customer service said the information was not available on the phone—"Yes, customers can still call our customer-service number and request their info for the purpose of filing FSA claims." A reply e-mail asking him to reconcile that comment with the customer service statement went unanswered.

That ExtraCare representative said no new identification requirements will be imposed on customers. Given that the alleged security hole consisted of inadequately stringent authentication procedures, it was unclear how security could be tightened without seeking additional—or stronger—identification methods. CVS also did not respond to requests to clarify that issue.

Evan Schuman can be reached at Evan_Schuman@ziffdavis.com.

Check out eWEEK.com's for the latest news, views and analysis on technology's impact on retail.