CVS Suffers a Security Migraine

Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), a grass-roots group, has accused pharmacy chain CVS of having a security hole in its Web site that allowed access to personal--and potentially embarrassing--purchase information of the chain's loyalty card customers. The group asserts that by logging on using the ExtraCare card number, the first three letters of the customer's last name, and his zip code, anyone could receive an emailed list of his purchases. CVS has issued more than 50 million ExtraCare cards, according to CASPIAN. Katherine Albrecht, founder and director of CASPIAN, demonstrated the security flaw by asking volunteers to sign up for an ExtraCare card and to make purchases. She then asked the volunteers for their card numbers and zip codes. With that information she requested a list of purchased items be sent to an email account temporarily set up for the demonstration. According to Albrecht, within 24 hours she received a purchase list of items, including condoms, a home pregnancy test, and enema kits, as well as purchase dates and prices. "CVS is collecting massive amounts of information on people through its ExtraCare card, and this program was apparently created as a way to justify their enormous databases to consumers," Albrecht said in a written statement. "But the scheme backfired and has given us all a sense of how insecure the data really is. This demonstration underscores why companies should not be collecting purchase information like this in the first place." CVS is one of the latest businesses to face a data security infringement. MasterCard International announced last week that it experienced a security breach that exposed more than 40 million payment cards to fraud. Earlier this month CitiFinancial alerted 3.9 million of its U.S. customers that computer tapes holding personal information, including names, Social Security numbers, account numbers, and payment history were lost. Other organizations that have suffered security breaches include Bank of America, ChoicePoint, LexisNexis, Time Warner, and Wachovia. Wayne Eckerson, director of research and services at The Data Warehousing Institute, sees these events as lessons to organizations to continuously invest in protection "or else they're going to be vulnerable to attack." For companies to protect themselves from data security meltdowns, he contends they must view data as a critical asset, and implement a security policy to manage that information in a secure manner. "That extends to partners who have been given authority to handle information...[and] it also applies to managing employees' access to information," he says. "As anyone in the security space will tell you, most security breaches happen from the inside." For customers, however, "we can do our own vigilance, as well," he says. He offers tips, including being wary of divulging personal information like a Social Security number, and to track credit card purchases, to avoid fraud. "It's always a two-way street," he says. "There's a tradeoff if you want to do business. If you want to get the benefits of a loyalty card [or] you want to use a credit card to facilitate transactions, you are exposing yourself to some degree of risk." Related articles: CitiFinancial 'Deeply Regrets' Customer Info Breach Fear and Loathing in the Database AOL Tightens Its Phishing Net