While somewhat out there how hard would it be for the local bad guys to patiently sift through accounts looking for the person on Oxycontin? Even if they only find a person a day or so that is enough info for them to make some money. They know your meds and can get your address, that's all they need.
Oxycontin sells on the street for between $1-2 per mg. which means a 30 day supply of 40mg pills has a street value of about $2400-4800 depending on location in the country. Not a bad haul for a few minutes work, and the people who would be looking for this stuff know exactly where most people might keep it. Hit a house or two a week and it can tally up to $250-500K a year, from swiping a bottle of pills.
Far fetched scheme? Sure, but not an unrealistic one. Most people who steal that information do not use it for themselves, they sell it to someone who can use it. Be careful of who and where you give your information too, it might seem innocuous but you just never know.
CVS Corp., the drugstore chain based in Woonsocket, R.I., shut down one of its Internet services after a privacy advocate discovered a security flaw that could leak embarrassing information about its customers.
''We kind of took advantage of a little security loophole they had on their website," said Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering.
The CVS site included a feature for people whose employers offer ''flexible spending accounts." This benefit lets workers set aside some untaxed income to pay for special needs, including nonprescription pharmacy supplies. Workers must provide purchase data to their employers to be reimbursed.
To make the process easier, CVS let customers sign up for a service that would track all their purchases that were eligible for reimbursement. For each purchase, the customer would swipe a CVS ExtraCare card, which allowed CVS to track everything the customer bought. This information was stored in a database, and the customer could have a copy of the data sent to him via e-mail.
But Albrecht found she could access anybody's records by obtaining a CVS card number, the person's ZIP code, and the first three letters of his or her last name. Albrecht could then have the data sent to her own e-mail address. Since ExtraCare cards are often attached to key chains, Albrecht said, it would be easy for someone to steal a number.
Albrecht worked with others to test the system, and found she was able to identify when and where people bought such sensitive items as condoms and pregnancy test kits. ''CVS has got some very intimate information about their customers," Albrecht said.
CVS shut down the flexible spending system when informed of the security breach.
Eileen Howard Dunn, vice president of corporate communications, said CVS has issued about 50 million ExtraCare cards, but that only a small fraction of cardholders use the flexible spending account service. Dunn said the database did not include information that could be used in an identity theft, such as financial data or Social Security numbers.
She said there have been no reports that any data were stolen.
Dunn said the service will resume once the company upgrades its security procedures.
No comments:
Post a Comment