When Will Companies Learn?
Another day, another disclosure that some nationwide company has improperly secured or otherwise lost control of data about their customers. What day is it, Tuesday? Oh, then it must be Large Chain Drugstore Disclosure Day.
I'm sure I'm not alone in feeling a tad uneasy and angry when I read stories like this one: Apparently, the good people at CVS have been recording what consumers buy on their Web site and then making that data available to anyone with the right information at their fingertips.
From the story: "Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN, said Monday that people could learn what items a customer had purchased with a [CVS] ExtraCare card by logging on to a company Web site with the card number, the customer's Zip code and first three letters of the customer's last name."
"The Woonsocket-based drugstore chain said it was creating additional security hurdles to the information. Fifty million ExtraCare cards have been issued, CVS said."
Fifty million cards sent through the mail? That's an expensive "oops," in more ways than one. Unlike the lady who runs CASPIAN, I don't have anything against the notion of trading some information about what I buy in the store for some savings in the checkout line, but I would prefer that the data wasn't shared with the entire world. Granted, it appears you still need a fair amount of information to pull off this hack, but didn't it occur to anyone at CVS that maybe they should require the user to supply a password or something? Certainly they have a right to it, but it's not really clear to me why CVS customers need to be able to view that data.
According to the story, CVS said it has taken the site down while it works on doing just that. But what is it going to take to convince companies that it's in everyone's best interests to be a bit more careful and proactive with their customers' data? Apparently, many more incidents like this, and maybe a whole bunch of new state data privacy and breach notification laws.
Still, maybe the critics of the data breach notification laws are right: If the disclosures keep up at this pace, pretty soon they'll become nothing but background noise that elicits from the public little more than a collective shrug. Sigh.
Posted by: Tina Q | June 22, 2005 4:37 PM | Report abuse
Posted by: JDS | June 23, 2005 1:05 PM | Report abuse
Posted by: Renard | June 23, 2005 4:20 PM | Report abuse
The comments to this entry are closed.