[BreachExchange] Over a billion records belonging to CVS Health exposed online

[Sophia Kingsbury]

https://www.zdnet.com/article/billions-of-records-belonging-to-cvs-health-exposed-online/

In another example of misconfigured cloud services impacting security, over
a billion records belonging to CVS Health have been exposed online.

On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler,
revealed the discovery of an online database belonging to CVS Health. The
database was not password-protection and had no form of authentication in
place to prevent unauthorized entry.

Upon examination of the database, the team found over one billion records
that were connected to US healthcare and pharmaceutical giant, which owns
brands including CVS Pharmacy and Aetna.

The database, 204GB in size, contained event and configuration data
including production records of visitor IDs, session IDs, device access
information -- such as whether visitors to the firm's domains used an
iPhone or Android handset -- as well as what the team calls a "blueprint"
of how the logging system operated from the backend.

Search records exposed also included queries for medications, COVID-19
vaccines, and a variety of CVS products, referencing both CVS Health and
CVS.com.

"Hypothetically, it could have been possible to match the Session ID with
what they searched for or added to the shopping cart during that session
and then try to identify the customer using the exposed emails," the report
states.

The researchers say the unsecured database could be used in targeted
phishing by cross-referencing some of the emails also logged in the system
-- likely through accidental search bar submission -- or for
cross-referencing other actions. Competitors, too, may have been interested
in the search query data generated and stored in the system.

WebsitePlanet sent a private disclosure notice to CVS Health and quickly
received a response confirming the dataset belonged to the company.

CVS Health said the database was managed by an unnamed vendor on behalf of
the firm and public access was restricted following disclosure.

"In March of this year, a security researcher notified us of a publicly
accessible database that contained non-identifiable CVS Health metadata,"
CVS Health told ZDNet. "We immediately investigated and determined that the
database, which was hosted by a third party vendor, did not contain any
personal information of our customers, members, or patients. We worked with
the vendor to quickly take the database down. We've addressed the issue
with the vendor to prevent a recurrence and we thank the researcher who
notified us about this matter."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210616/6da14d2f/attachment.html>