Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Security Flaw Exposes CVS Purchase Data

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Security Flaw Exposes CVS Purchase Data
Date: Wed, 22 Jun 2005 01:45:22 -0500 (CDT) 
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/21/AR2005062100999.html

By MICHELLE R. SMITH
The Associated Press
June 21, 2005

PROVIDENCE, R.I. -- A security hole that allowed easy access to the
purchase information of millions of CVS Corp.'s loyalty card customers
prompted the company to pull Internet access to the data on Tuesday.

The Woonsocket-based drugstore chain, which has issued 50 million of
the cards, said it would restore Web-based access to the information
after it creates additional security hurdles.

The data security flaw in the ExtraCare card service was exposed
Monday by the grassroots group Consumers Against Supermarket Privacy
Invasion and Numbering, or CASPIAN.

It said anyone could learn what a customer had purchased with an
ExtraCare card by logging on to a company Web site with the card
number, the customer's zip code and first three letters of the
customer's last name.

Once logged on, a list of recent purchases could be sent to an e-mail
account. Information about prescriptions was not provided, and the
list of purchases was only available by e-mail.

CASPIAN director Katherine Albrecht said a test she conducted showed a
list of possibly embarrassing purchases, including condoms and a home
pregnancy test kit, the date they were purchased and how much they
cost.

Albrecht applauded the company's move to make the data more secure but
said she was still concerned.

"This underscores the amount of data _ the very sensitive data _ about
us that CVS has been collecting," she said.

Eileen Howard Dunn, a CVS spokeswoman, said the company provides the
information as a service to customers. She emphasized that
prescription information was not available. CVS said the service had
been in place about 6 months.

"There's no material medical information on there at all," said Dunn,
and CVS said only a very small number of customers had used the
service. Spokesman Todd Andrews said CVS was working quickly to put in
place either password protection or some other security measure.

Until then, customers can get the information by calling customer
service, he said.

CVS said the company had no knowledge of anyone gaining access to
customer information improperly. Andrews said customers' Social
Security and credit card numbers were not posted and the information
that was available could not lead to any identity theft.

CVS has 5,400 stores in 36 states and the District of Columbia.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Security Flaw Exposes CVS Purchase Data, InfoSec News <=
Previous by Date:  [ISN] Book Review - The Art of Computer Virus Research and Defense, InfoSec News
Next by Date:  [ISN] Kaiser Permanente division fined $200k for patient data breach, InfoSec News
Previous by Thread:  [ISN] Book Review - The Art of Computer Virus Research and Defense, InfoSec News
Next by Thread:  [ISN] Kaiser Permanente division fined $200k for patient data breach, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]