A major pharmacy chain’s program designed to let customers view a history of their purchases in e-mail had weak enough security to make it vulnerable to identity thieves, forcing the chain to temporarily shut down its Web site while it reconsidered security.
The chain was CVS Corp., which has more than 5,400 stores in the United States.
The program, called ExtraCare, was created to allow consumers to qualify CVS nonprescription products for government- and insurance company-sanctioned flexible spending account programs.
Those programs allow for consumers to set aside a portion of their salaries—using pre-tax dollars—for medical costs, but they must spend all of the dollars.
Customers were issued an ExtraCare card with a number on it. To access a history of their purchases, they’d access the Web site and have to provide three pieces of information: the 11-digit card number, their ZIP code and the first three letters of their last name. The list would then be e-mailed to the e-mail address provided, which did not have to be the e-mail address on file.
A privacy advocacy group called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) tested the system and found it easy to fool.
The group even grabbed the recent purchases of a news reporter and had them e-mailed to the group’s domain to prove to the reporter how weak the security was, said CASPIAN director Katherine Albrecht.
The flexible spending account products “fall into the most private categories, including family planning and medical testing,” Albrecht said.
The three identifiers CVS chose were far too easy to find or guess, she said. The card number is both imprinted on the card—where it can be easily seen by someone else in line—and on every receipt, she said.
A statement from CVS, headquartered in Woonsocket, R.I., said the full card number is not printed on the receipt, but it was unclear whether enough of the number is used to give someone access. CVS did not reply to repeated e-mails and voice-mails messages sent by Ziff Davis Internet over several days seeking clarification.
Albrecht said such cards are often carried where others can see them. “Millions of people have them hanging off their keychains,” she said.
“If I were a private eye or snoopy ex-spouse or a jealous boyfriend,” the card number would be easy to identify, and those people would already know the ZIP code and the person’s last name, Albrecht said.
Even if they didn’t know the ZIP code, it would be easy to try the neighboring ZIP codes surrounding that store, she said. CVS clerks often call customers by their last names, so that is also not a difficult-to-find piece of information for the intrepid snooper.
“CVS didn’t have adequate security protections in place,” Albrecht said. “CVS is not taking this information seriously.”