[BreachExchange] Walgreens Mobile App Leaks Prescription Data

Destry Winant destry at riskbasedsecurity.com
Wed Mar 4 10:36:07 EST 2020


https://threatpost.com/walgreens-mobile-app-prescription-data/153361/

A security error in the Walgreens mobile app may have leaked
customers’ full names, prescriptions and shipping addresses.

Popular pharmacy chain Walgreens is warning that a bug in its official
mobile app may have exposed sensitive data, including customers’ full
names and information on prescriptions for medications they are
taking.

The security issue stemmed from an “error” in the personal secure
messaging feature of Walgreens’ mobile app. The mobile messaging
feature is a service for registered customers to receive SMS alerts
for prescription refill notifications, deals and coupons. While
Walgreens did not detail the technical glitch, it said that the
internal application error enabled certain personal messages, stored
in a database, to be viewed by other customers who were using the
mobile app.

“As part of our investigation, Walgreens determined that certain
messages containing limited health-related information were involved
in this incident for a small percentage of impacted customers,”
according to a Walgreens data security incident customer notification,
filed with the Office of the Attorney General and published Friday.
“We believe that you were part of the impacted customer group and that
one or more personal messages containing your limited health-related
information may have been viewed by another customer on the Walgreens
mobile app between January 9, 2020 and January 15, 2020.”

That potentially exposed data includes first and last names of
customers, their prescription numbers and drug names, store numbers
that customers picked up prescriptions from, and shipping addresses.
Walgreens said that financial information and Social Security numbers
were not impacted.

After the issue was discovered on Jan. 15, “Walgreens promptly took
steps to disable the message viewing feature within the Walgreens
mobile app to prevent further disclosure until a permanent correction
was implemented to resolve the issue,” according to the notice.
“Walgreens will conduct additional testing as appropriate for future
changes to verify the change will not impact the privacy of customer
data.”

Fausto Oliveira, principal security architect at Acceptto, said the
incident looks like a typical example of a lack of proper testing.

“If the error conditions in the app had been properly tested, this
type of issue should have been caught by the quality assurance
department and never seen in production,” he told Threatpost. “It is
unfortunate that often in the rush to go to market, shortcuts are
taken and due-diligence testing is skipped in favor of meeting a
release date. It also raises questions as to why wasn’t this
information encrypted so that even if it was written to a database it
would be unreadable and also how come individuals had access to a copy
of the database? A proper design would have ensured that any records
accessible on the mobile device would be encrypted using per user keys
and that the device would only have access to the information that was
relevant to the specific user.”

Walgreens recommended that customers monitor their prescriptions and
medical records. The company did not say how many customers were
impacted, and how many actually accessed the exposed information
(Threatpost has reached out for further comment). But the potential
number of people impacted is vast based on Walgreens’ customer base .
The company interacts with approximately 8 million customers in its
stores and online each day, and filled 1.2 billion prescriptions on a
30-day adjusted basis in fiscal 2019, according to its website. And,
the Walgreens mobile app on the Google Play app marketplace has more
than 10 million downloads.

The fact that prescriptions were leaked “is worrying,” said Oliveira,
since it discloses health conditions that may be used for malicious
attacks like blackmailing. A bad actor who got his hands on this data,
for instance, could threaten to make employers aware of victims’
conditions that they may not want to reveal.

“I think the offer from Walgreens to place the customers in several
credit-card monitoring companies, is ineffective and does not help at
all to address the concerns,” he told Threatpost. “If the information
has been leaked, it is out there and credit-card monitoring companies
cannot do anything to prevent the information from spreading. This is
a situation where preventing this type of events from happening in the
first place is the only cure.”

It’s not the first time that Walgreens has dealt with a security
issue. In 2013, the company was hit with a $1.4 million penalty for a
data breach after a pharmacist in a Walgreens store in Indianapolis
inappropriately viewed and shared a woman’s prescription history.


More information about the BreachExchange mailing list