The 50-million-strong Extra-Care program, the nation's largest retail-loyalty-card operation, has a potential security hole that allows anyone with a member's card number, zip code and last name to obtain via e-mail a potentially embarrassing and invasive list of that person's over-the-counter drug and family-planning purchases.
That potential was uncovered by privacy advocate Katherine Albrecht, founder of the group Consumers Against Supermarket Privacy Invasion and Numbering. In a test conducted for Advertising Age, Ms. Albrecht was given the account number of a reporter who went out and bought a list of sensitive products including Trojan Twisted Pleasure condoms, CVS private-label home-pregnancy and disposable enema kits, anti-itch and acne cream and decongestant tablets of the type that can also be used to make the illegal drug methamphetamine. She was able to e-mail back to the reporter a list of those purchases, complete with date of purchase and UPC codes.
CVS declined to comment at press time.
The retailer collects and sends such purchase data to customers as a benefit, making it easier for them to file reports for employer-sponsored flexible-spending accounts, which let employees buy drugs and medical services with pre-tax dollars. But Ms. Albrecht, using an anonymous Hotmail account she set up for this purpose, was able to obtain the information with only a last name, card number and zip code.
The information was not password protected, nor, apparently, did CVS match geographic portions of IP addresses for computers used to make the inquiries against the zip code entered.
Ms. Albrecht said many people could get the necessary basic information surreptitiously. She cited valet-parking attendants (for members with keychain cards), CVS store clerks who might take an interest in a customer, friends, acquaintances, spouses or ex-spouses. CVS also includes ExtraCare numbers on paper receipts when members use their cards to make purchases, potentially opening individual's purchase data to anyone who finds a discarded receipt and can match it with a name and zip code
Ms. Albrecht said she has no knowledge that anyone yet has used the security hole to get unauthorized data. "Even people who access this data legitimately need to realize this is probably the most sensitive information people have in their purchase records," she said. "The people wielding this information are not very thoughtful and they're wielding information that, frankly, I don't even think they should have."
The data vulnerability is a big potential problem for CVS, said Rick Ferguson, editorial director of The Colloquy Group, which publishes a magazine on loyalty programs, because consumers are particularly sensitive to how their grocery- and drug-card data is used and protected.
"The reason Albrecht's group has jumped on privacy issues through these discount programs is that in essence you're forcing the consumer to use the card to get [lower] prices, and that's different from a loyalty program where you're earning points and only participate if you've ... found the rewards appealing," he said. "Because consumers sometimes feel coerced about joining these programs, it gives them a heightened sensitivity about how the data is being used."
He believes Ms. Albrecht's group "has an agenda," but added, "If they are able to point out some areas where security is at risk, they're probably serving a purpose, and I think CVS will probably do everything they can to rectify it."
Mr. Ferguson said it's unusual for a loyalty program to provide access to customer data without a password or personal identification number. But he said CVS overall has probably the most successful and sophisticated grocery or drug shopper-card program in the U.S. Interpublic Group of Cos.' Draft Worldwide, Chicago, handles ExtraCare.
Privacy advocate Katherine Albrecht was given a reporter’s CVS ExtraCare account number, and was able to e-mail the reporter a list of products he bought at CVS, along with the purchase date and UPC codes.