Join Our E-mail List

E-mail

In 2005, privacy advocates found a security hole in CVS's website that allowed anyone "with the barest of personal information" to obtain a list of items customers had purchased using their ExtraCare cards. Anyone knowing a customer’s ExtraCare card number, last name and zip code could log onto the site and learn what the customer had bought. The site was not password protected.  To test the weakness, a reporter gave privacy advocate Katherine Albrecht the reporter's ExtraCare card number, and the reporter bought items including condoms, acne treatment, an enema and a pregnancy test kit. Albrecht emailed back to the reporter a list of the items that she had obtained from the CVS website, complete with UPC codes and date of purchase. Albrecht noted that with ExtraCare cards on key chains as well as in wallets, anyone from mechanics and parking attendants to acquaintances and ex-spouses could gain access to private purchase information. CVS now says it handles customers’ requests for lists of ExtraCare purchases by telephone.