Network News

X My Profile
View More Activity

When Will Companies Learn?

Another day, another disclosure that some nationwide company has improperly secured or otherwise lost control of data about their customers. What day is it, Tuesday? Oh, then it must be Large Chain Drugstore Disclosure Day.

I'm sure I'm not alone in feeling a tad uneasy and angry when I read stories like this one: Apparently, the good people at CVS have been recording what consumers buy on their Web site and then making that data available to anyone with the right information at their fingertips.

From the story: "Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN, said Monday that people could learn what items a customer had purchased with a [CVS] ExtraCare card by logging on to a company Web site with the card number, the customer's Zip code and first three letters of the customer's last name."

"The Woonsocket-based drugstore chain said it was creating additional security hurdles to the information. Fifty million ExtraCare cards have been issued, CVS said."

Fifty million cards sent through the mail? That's an expensive "oops," in more ways than one. Unlike the lady who runs CASPIAN, I don't have anything against the notion of trading some information about what I buy in the store for some savings in the checkout line, but I would prefer that the data wasn't shared with the entire world. Granted, it appears you still need a fair amount of information to pull off this hack, but didn't it occur to anyone at CVS that maybe they should require the user to supply a password or something? Certainly they have a right to it, but it's not really clear to me why CVS customers need to be able to view that data.

According to the story, CVS said it has taken the site down while it works on doing just that. But what is it going to take to convince companies that it's in everyone's best interests to be a bit more careful and proactive with their customers' data? Apparently, many more incidents like this, and maybe a whole bunch of new state data privacy and breach notification laws.

Still, maybe the critics of the data breach notification laws are right: If the disclosures keep up at this pace, pretty soon they'll become nothing but background noise that elicits from the public little more than a collective shrug. Sigh.

By Brian Krebs  |  June 21, 2005; 3:35 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: When Will Companies Learn?
Next: When Will Companies Learn?


I'm very confused about this article. I am a CVS customer that shops online and I have to sign in with a log in name and password. I have tried to use other card numbers for access but I am unable to. Whoever has the ability to view other members shopping items has a sophisticated process for this access.
But please, correct me if I'm wrong.

Posted by: Tina Q | June 22, 2005 4:37 PM | Report abuse

To CLARIFY (which is what a Journalist SHOULD DO! Before writing a story)

1.] The site allowed Extra Care customers to obtain purchase data linked to thier card to submit to FTS (Flexible Medical Spending accounts) for reimbursement of qualified items.

2.] No Names, addresses, social security numbers or other personal data that could be used for any type of identity theft could be obtained, only merchandise purchase information.

3.] To obtain that information you had to have . . .
A.] Extra Care account/card number (only available on the card itself)
B.] The Extra care card holders zip code (You would have to know where they lived, again it is NOT on the cards)
C.] The First THREE letters of the Extra Care card holders last name.

After obtaining all that from the Extra Care customer and keying it into the Extra Care FTS site . . .
You would get an emailed list of what exactly . . . .
shaving cream?
band aids?
cold medicines?

And do what with that information?
Perhaps decide to buy a different cold medicine than you currently do!

Your supposed to be a Professional reporter/journalist, try researching a story and presenting facts instead of jumping on the ID Theft hype and running something that is inaccurate from a one person organization.

Identity theft is a significant issue that must be addressed by large and small companies alike, however propagating "hype" without researching the facts is just as abusive and reporters for large and small publications should be required to report factual stories NOT spew popular hype however hot the trend is in the media.

Posted by: JDS | June 23, 2005 1:05 PM | Report abuse

I suspect that JDS has a horse in this race, otherwise he/she would have noticed that Krebs did clarify.

He made no errors in this story, and it looks like he took care to get his facts straight.

What's your beef, JDS? Busy cleaning up in the IT department at CVS? Must be a little rough these days. Good luck!

Posted by: Renard | June 23, 2005 4:20 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company