Clips and Samples

back to Clips & Samples

June 25, 2005

CVS Shuts Down Site After Security Leak

By Evan Schuman, Ziff Davis Internet

A major pharmacy chain's program designed to let customers view a history of their purchases in e-mail had weak enough security to make it vulnerable to identity thieves, forcing the chain to temporarily shut down its Web site while it reconsidered security.

The chain was CVS Corp., which has more than 5,400 stores in the United States.

The program, called ExtraCare, was created to allow consumers to qualify CVS nonprescription products for government- and insurance company-sanctioned flexible spending account programs.

Those programs allow for consumers to set aside a portion of their salaries—using pre-tax dollars—for medical costs, but they must spend all of the dollars.

Customers were issued an ExtraCare card with a number on it. To access a history of their purchases, they'd access the Web site and have to provide three pieces of information: the 11-digit card number, their ZIP code and the first three letters of their last name. The list would then be e-mailed to the e-mail address provided, which did not have to be the e-mail address on file.

A privacy advocacy group called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) tested the system and found it easy to fool.

The group even grabbed the recent purchases of a news reporter and had them e-mailed to the group's domain to prove to the reporter how weak the security was, said CASPIAN director Katherine Albrecht.

The flexible spending account products "fall into the most private categories, including family planning and medical testing," Albrecht said.

The three identifiers CVS chose were far too easy to find or guess, she said. The card number is both imprinted on the card—where it can be easily seen by someone else in line—and on every receipt, she said.

A statement from CVS, headquartered in Woonsocket, R.I., said the full card number is not printed on the receipt, but it was unclear whether enough of the number is used to give someone access. CVS did not reply to repeated e-mails and voice-mails messages sent by Ziff Davis Internet over several days seeking clarification.

Albrecht said such cards are often carried where others can see them. "Millions of people have them hanging off their keychains," she said.

"If I were a private eye or snoopy ex-spouse or a jealous boyfriend," the card number would be easy to identify, and those people would already know the ZIP code and the person's last name, Albrecht said.

Even if they didn't know the ZIP code, it would be easy to try the neighboring ZIP codes surrounding that store, she said. CVS clerks often call customers by their last names, so that is also not a difficult-to-find piece of information for the intrepid snooper.

"CVS didn't have adequate security protections in place," Albrecht said. "CVS is not taking this information seriously."

After CASPIAN's efforts received media coverage, CVS took down its ExtraCare Web site and said in a statement that it is "in the process of creating additional security hurdles for accessing this purchase information."

The statement stressed that prescription information was not disclosed, but it didn't indicate why the company thought that revealing a prescription antibiotic would be more damaging to a customer than revealing a contraceptive or pregnancy-test purchase.

"The CVS ExtraCare Web site was developed to give customers easy access to their own purchase information for purposes of filing FSA claims for over-the-counter items. The information contained on the Web site does not include prescription purchases," the statement said. "The information does not include Social Security numbers, credit card numbers or any other information that could lead to identity theft."

The statement also discussed the initial security procedures and limits. "In order to utilize this Web-based information, customers need to input their last name, their ZIP code and their 11-digit ExtraCare card number. Customer names or addresses are not printed on ExtraCare cards. Full ExtraCare card numbers are not printed on receipts," the statement said.

"The security procedures implemented to protect information which is accessed for FSA-related customer needs have been carefully designed and we believe are effective. We have received absolutely no indication from any of our ExtraCare cardholders that this information had been improperly accessed."

The statement then alluded to Albrecht's interviews. "A recent press report has highlighted a means to gain unintended access to customer purchase information. In light of our absolute commitment to customer privacy, we are in the process of creating additional security hurdles for accessing this purchase information," the statement said.

"Until those measures are in place, FSA-related information will not be available on our Web site."

An Associated Press report quoted a CVS spokesperson as saying that until Web access is returned, access to that purchase information will be limited to telephone customer service.

But when Ziff Davis Internet News called CVS customer service, they told a different story. Customer service referred the matter to the ExtraCare department.

A representative in ExtraCare said they are not permitted to provide the information even on the phone until new security procedures are put in place.

CVS spokesperson Michael DeAngelis said in an e-mail—received after customer service said the information was not available on the phone—"Yes, customers can still call our customer-service number and request their info for the purpose of filing FSA claims." A reply e-mail asking him to reconcile that comment with the customer service statement went unanswered.

That ExtraCare representative said no new identification requirements will be imposed on customers. Given that the alleged security hole consisted of inadequately stringent authentication procedures, it was unclear how security could be tightened without seeking additional—or stronger—identification methods. CVS also did not respond to requests to clarify that issue.