A data security flaw in the CVS Corporation’s “ExtraCare” loyalty card service was exposed Monday by the grassroots group Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN.

The security hole reportedly allowed anyone to learn what a customer had purchased using the loyalty card by using the card number, the customer’s zip code and first three letters of the customer’s last name.

According to an AP report, the CVS Corp. responded to the news by taking down the web site pending a redesign of the site’s security.