Walgreens E-Mail List Hacked

Several readers have written in today after receiving a message from Walgreens that one of its e-mail distribution lists had been hacked by spammers.

Here is the message sent from Walgreens to customers on the list:

Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.

We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.

As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens.

If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.


Walgreens Customer Service Team

Thanks to Mike, Steve, Carol and everyone else for the tip!


Edit Your Comment

  1. deejmer says:

    Well it sucks that this was a possibility in the first place, but I do believe they handled it appropriately by being up front and informing their customer base.

  2. Gramin says:

    It happens. Nice of them to send an email.

  3. You Can Call Me Al(isa) says:

    So does that mean that if I didn’t get an email my email wasn’t affected? Or is this another case where only the people in states with laws about it got notified?

  4. smarmyjones goes cattywampus says:

    Interesting. The other night I got an e-mail from Walgreens saying my prescription was ready for pickup, but I didn’t order anything from them. I called and they did indeed have a prescription ready for me that they said was a refill. I’m not really sure what happened here as I do not have automatic refills set up, and only use Walgreens when my MOP messes my order up and I need my meds right away. Hope this is just an isolated thing.

  5. xspook says:

    Yep, I got an email a couple of days ago that stated my order was ready for pickup. I picked it up 2 days earlier.

  6. Happy Tinfoil Cat says:

    Boy I’m glad I make my own email addresses at home! I pity the fools that only have one. I have a different email address for each person or company I deal with as I have a bunch of domains I can use via cotse.

    • Dover says:

      Same here. I complained to Walgreens about the spam I was getting and they gave me a little bit of a runaround,. I’m glad to know they’ve apologized (I’ve blocked that e-mail address, so I didn’t get this message), which is the appropriate thing to do and much more than I can say for some other companies who have experienced the same thing.

    • Rena says:

      I’d like to set up a system like this. One address per company/person, and keep stats on how much spam each receives. Unfortunately I lack an always-on server with a reliable connection…

      • Happy Tinfoil Cat says:

        You should check out Cotse.net I’ve been using their service for about ten years. A lot of places I track have been getting hacked lately. (sous, nowpublic, hocus-pocus)

  7. ellmar says:

    Whatever Walgreens, you are the same company that provided my name, address and prescription drug purchasing history to a pharmaceutical manufacturer so they could send me snail mail solicitations for their other products. Your concern for my privacy ends where your ability to make a buck starts (and/or where required by law.)

  8. 16:9 says:

    Well, I’m personally not too happy about it. I am one of those customers who got spammed.

    The thing is (as mentioned by Happy Tinfoil Cat) I am one of those who gives a new email address to each corporation I do business with. It was very easy to spot therefore the forgery right away upon receiving an email from allegedly Adobe to the email address I had given Walgreen’s only.

    I contacted Walgreen’s 4 days ago, giving minute details and explaining how I knew their DB had been compromised either internally or through some external breach.

    The thing that peeves me is that the only thing I got then, despite the profuse info explaining the case, was a standard “rest assured your HIPAA info is safe with us” boiler plate email as well as links to their online privacy policy. I requested further that day some follow-up from somebody in their Information Security team who would understand those matters and I have yet to hear from one of them. Still waiting…

    I dont care about my email being compromised: I’ll terminate that one and give Walgreen’s a new one.

    Few comments:

    1) Spam was received 8 days ago. 4 days ago, either their customer service still did not know about the breach or it was buying some time for the official PR answer. In either case, given the details I provided, it should have rung an alarm within their IT team if my info had been processed correctly.
    2) Corporations of that caliber are very sensitive to issues around Personally Identifiable Information (PII) and, furthermore in the case of Walgreen’s, around HIPAA mandates.
    3) How come nobody followed-up? I received the mass email today, but my email to customer service 4 days ago still remains unanswered.
    4) There was no possibility to reply to this morning mass email by email; the only opportunity for further information was to call the 888 number. There is therefore no way to document any exchange with them. The gentleman I spoke with, while very polite and patient, was unable to address my expressed concerns beyond “things are OK, your info is safe.”

    I’m concerned that despite Walgreen’s statement today in their mass email, my HIPAA information could have been breached.

    I will let you know how I progress with their IT or PR team on this matter next week. I’m not giving up that easily.

  9. Why is this on Consumerist? says:

    Glad to see they’re taking it seriously.

  10. gman863 says:

    Maybe this explains other e-mails circulating on the ‘net this week:

    Deer Walgreen CustomeR:

    We NOtICe you pay weigh to much for pelasure penis PiLls lik VIAGRA or mind numb mediKAtioN like Oxydol-Contain. KinDLY contacts our MONEY SAVING profesional farmacy specilIST by clicking here.

  11. maruawe says:

    I received this in my email this morning. Seems credible as I show there all the time. I called the number and they immediately answered(real person) and answered all my questions …

  12. almightytora says:

    UPDATE: McDonald’s also sent the same statement to me yesterday. I know it’s useless, but I unsubscribed from both of them after I got those.

  13. traveladdict says:

    Walgreens was not the only one- I received an email from a small online community called devianART who also were hacked. They specifically named Silverpop as their ESP in the incident.

    • 16:9 says:

      I have still not heard back from Walgreen’s and will call them again today.

      Following on the previous post, it would seem that Walgreens who has till not explained how the breach occured, conducts business with Arc Worldwide as its ‘promotional marketing ‘agency of record.’ Arc Worldwide counts Silverpop as a partner, which would be one having been hacked leaking the McDonald’s and Walgreen’s customer email addresses.

      More at http://www.theregister.co.uk/2010/12/15/silverpop_breach_probe/