At the end of last week, on or around Friday, July 27th, 2018, Walgreens sent out a seemingly innocent email notice of Walgreens updated terms and conditions of use. But some people noticed that it contained a hidden message saying “Walgreens values your privacy. We recently became aware of fraudulent activity.”
Hidden text displayed in list preview but not in body of email
However, the statement discussing fraudulent activity was not visible anywhere within the regular text of the email, which reads, in full, “At Walgreens, we are constantly looking for ways to improve our products and services. In order to support such improvements and to ensure we are transparent in the way we serve you, we recently updated our Terms and Conditions of Use effective as of July 18, 2018. Among other things, the changes clarify: 1. What products and services are governed by the Terms and Conditions of Use; 2. How you may use our products and services; 3. The type of content you may upload to our systems, and how we may treat that content; and 4.H ow we will resolve any disputes that may arise between us. These Terms and Conditions of Use govern your use of our products and services, and are an important part of how we serve you. If you have recently visited Walgreens.com, created a Walgreens.com account, or made a purchase on Walgreens.com, you’ve already been made aware of these changes. If not, we invite you to review the full Terms and Conditions of Use here . If you do not agree with the revised Terms and Conditions of Use, you can choose to stop using our products and services. Thank you for being a Walgreens customer.”
Not a single mention of any fraudulent activity.
So, first, how did they do this, and second, did Walgreens have a data breach?
We’ll answer that in reverse order. First, yes, Walgreens did have a data breach (more on that below).
As to how they did it, they put the text in a section defined as the ‘preview’ (which is why some people with mail programs that offer a ‘preview’ mode saw it).
Code to put text in preview
About the Walgreens Rite Aid 2018 Data Breach
Walgreens did in fact suffer a data breach, in April of 2018. In fact they have a page talking about it, however none of the links in their above email actually go to that page. We only found it by some diligent Internet sleuthing.
And here’s what else we found. A letter from Walgreens to the New Hampshire Department of Justice, dated June 1st, and detailing the data breach. It was received by the NH DOJ on June 8th. Here is what it says:
June 1, 2018
New Hampshire Office of the Attorney General
33 Capitol Street Concord, NH 03301
Dear Attorney General:
Walgreen Co. (“Walgreens”) is notifying your office of a security breach of personal information held by two Walgreens-owned Rite Aid locations. On April 17, 2018, Walgreens discovered that unauthorized skimming devices were attached to one point-of-sale pin pad in each of the 2416 West End Avenue and 700 Gallatin Road Walgreens-owned Rite Aid locations in Nashville, TN. At this point, we are unable to determine if these skimming devices successfully captured and transmitted information related to the credit or debit cards used at these two pin pads. Since we have been unable to determine the exact dates each skimmer was present, we are providing notification out of an abundance of caution to all customers who used a debit or credit card at one or both of these pin pads going back to the date the locations became Walgreens-owned on December 20, 2017 including eight (8) New Hampshire residents.
The skimming devices may have captured the following information for anyone who had one or more credit or debit transactions at one of these pin pads during the time period: customer credit or debit card number; the PIN associated with the card, if one was used; and possibly customer first and last name. At this time, however, Walgreens is unaware of reports of fraud or any other misuse of personal information. Walgreens immediately notified law enforcement and took steps to disable the skimming devices. We are working with law enforcement to identify any fraudulent activity, and are also working to ensure fraud-prevention brackets are installed on the pin pads at certain Walgreens-owned Rite Aid store locations. Complimentary credit monitoring will be offered to residents affected by this incident.
Read Internet Patrol Articles Right in Your Inbox as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
Walgreens will provide formal notice on June 1, 2018 to potentially impacted residents. A copy of the notice is attached for your reference.
Please contact us should you have any questions.
Abby Martinez Director,
Walgreens Privacy Office
Armed with this information, we were able to track down this notice on the Walgreen’s website:
Important Privacy Notice
Walgreens values your privacy. We recently became aware of fraudulent activity at two Walgreens-owned Rite Aid stores in Nashville, Tennessee that may have affected payment card information for a limited number of customers.
On April 17, 2018, Walgreens discovered unauthorized skimming devices attached to a point-of-sale pin pad in two Nashville Rite Aid locations owned and operated by Walgreens, specifically at 2416 West End Avenue and 700 Gallatin Road. The skimming devices were removed immediately upon identification. Law enforcement was contacted immediately, and a criminal investigation is pending.
At this point, we are unable to determine if these skimming devices successfully captured and transmitted information related to the credit or debit cards used at these two pin pads. Out of an abundance of caution, we are notifying customers that may have been impacted. Since we have been unable to determine the exact dates each skimmer was present, we are conservatively notifying anyone who may have used a credit or debit card at one or both of these two pin pads at these locations since they became Walgreens-owned, which was December 20, 2017. Our records indicate that the credit or debit card you used to complete your purchase in one of these two stores may have been included in this potential compromise.
What information was involved
The skimming devices may have captured the following information: your credit or debit card number; the PIN associated with the debit card, if one was used; and possibly your first and last name. At this point; however, we are unaware of reports of fraud or any other misuse of personal information.
What we are doing
Walgreens immediately notified law enforcement and took steps to disable the skimming devices. We are working with law enforcement to identify any additional fraudulent activity. Walgreens is also working to ensure fraud-prevention brackets are installed on the pin pads at certain Walgreens-owned Rite Aid store locations. Walgreens deeply regrets this incident and any inconvenience it may have caused, and would like to offer you credit monitoring services from Experian at no cost to you.
What you can do
Walgreens asks that customers remain vigilant and frequently review their credit card account statements. We have enclosed information on steps you can take to further protect your information, and how to receive your free credit monitoring service. We strongly encourage that you take advantage of this offer at no cost to you.
For more information
For further information and assistance, please contact Walgreens’ toll free number at (877) 924-4472, or in writing at 200 Wilmot Road, MS 9000, Deerfield, Illinois 60015.
(You can read that Walgreens’ notice for yourself here.)
Now, we note that the notice we received did not go to someone in either Tennessee or New Hampshire. Which brings us to our final observations.
Either a) the breach affected Walgreens customers more widely than in just New Hampshire and Tennessee, or b) there was a subsequent breach, or c) there was no additional breach, and someone sent out what was a genuine notice of updated Terms and Conditions of Use but repurposed an email template with some unfortunate wording buried in the code.
Noting that Walgreens told the New Hampshire DOJ that they intended to notify all customers affected by the April breach on June 1st, and noting that the emails in question were sent out on July 27th, and to people decidedly not in Tennessee or New Hampshire, we think that we can eliminate option ‘a’.
And because we think that Hanlon’s Razor, “Never attribute to malice that which is adequately explained by stupidity,” is a pretty good policy, we’re going to go with option ‘c’. We believe that the hidden text in the July 27th email was a legacy of an earlier email that should have been removed, but wasn’t.
That said, we’ve got an inquiry in to Walgreens, and hopefully they will clear this up. And if they do, we’ll let you know.
|Get notified of new Internet Patrol articles!