Philosophy

Home
Overview
FAQ
Essays
Hall of Shame

Information

RFID Information
Pricing issues
News
Supermarket List
Links

Action

Join the Fight
Current Protests
Feedback

About CASPIAN

Press



[Image of Cart]
Welcome!

Sign up for our newsletter!
Enter Email Address

CASPIAN: Consumers Against Supermarket Privacy Invasion and Numbering

Press Releases

FOR IMMEDIATE RELEASE
June 20, 2005

CASPIAN Warns of CVS Loyalty Card Security Hole
Pharmacy chain's ExtraCare card offers up embarrassing secrets

CVS email Use your CVS ExtraCare card to buy items like condoms, incontinence pants or an enema kit and coworkers, family members and possibly even your mechanic could know. All they need is access to the ExtraCare loyalty card number dangling from your keychain or printed on your receipt, the first three letters of your last name, and your zip code.

Katherine Albrecht, founder and director of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) demonstrated the CVS security hole to several reporters, including Jack Neff, whose account of the company's lax controls over consumer information will run in an Advertising Age article today.
Click to see the intimate purchase details CASPIAN was able to obtain

Albrecht asked volunteer reporters to sign up for a CVS ExtraCare card and purchase health-related items. Then she asked only for their card numbers and zip codes. Armed with that information, she accessed the CVS website and requested that the company send a list of purchased items to a temporary email account she had set up for the purpose.

In each case, CVS responded within 24 hours, sending her lists detailing purchases of sensitive items like Trojan Twisted Pleasure condoms, a home pregnancy test kit, and enema kits. Information in the emails included products purchased, date of purchase, price paid, and UPC numbers. An example email is posted at the organization's website at www.nocards.org.

CVS offers the email purchase histories so consumers can prove their over-the-counter medical product purchases qualify for a federal tax program. Qualifying purchases can be reimbursed through a so-called flexible spending account, or FSA. However, CVS makes the information available on every ExtraCare cardholder, whether they request the service or not.

"CVS is collecting massive amounts of information on people through its ExtraCare card, and this program was apparently created as a way to justify their enormous databases to consumers," says Albrecht. "But the scheme backfired and has given us all a sense of how insecure the data really is. This demonstration underscores why companies should not be  collecting purchase information like this in the first place."

Albrecht believes CVS should shut down the program and contact all ExtraCare card holders to let them know that their information has been placed at risk. "They've subjected potentially millions of their customers to privacy invasion," she noted.

Notifying customers of the data security hole could be quite an undertaking for the Woonsocket, RI, based company. They have over 5,000 stores in 36 states and have reportedly issued over 50 million of the cards.



CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)   is a grass-roots consumer group fighting retail surveillance schemes since 1999. With thousands of members in all 50 U.S. states and over 30 countries worldwide, CASPIAN seeks to educate consumers about marketing strategies that invade their privacy and to encourage privacy-conscious shopping habits across the retail spectrum.

For more information, see:
http://www.nocards.org


CASPIAN
Consumers Against Supermarket Privacy Invasion and Numbering
An information clearinghouse and resource for community and national action

© 1999-2005 Katherine Albrecht. All rights reserved.