The WandMan logo
Security

CVS faces one of the biggest data breaches

The WandMan Team June 22, 2021 0 1 min read
1,385

American healthcare company CVS is facing one of the biggest data breaches ever in the history of mankind.

More than 1 billion CVS Health search records were accidentally posted online in a data breach incident that happened in late March 2021, and an unnamed third-party vendor is to be blamed for this.

CVS Health
CVS Health

Misconfiguration in cloud database is the culprit

Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.

Speaking to Forbes, Fowler said that the records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications.

However, some people did enter their own email addresses in the search bar, likely mistaking the search bar for the place to enter login information.

It is possible that this data could be traced back to an individual customer.

Along with Fowler, the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st.

Their findings also uncovered CVS’s configuration settings and backend operations, information that could be used for phishing attacks if it were obtained by bad actors.  

The search data obtained from the breach also contained the Session ID of the users including what they searched for or added to the shopping cart during that session.

Matching this along with the exposed email IDs, attackers can try to identify the customer.

CVS Health Data Leak

Acknowledging this data leak, CVS Health in a public statement said,

In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata.

We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients

We also worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter

– CVS Health, press release

Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.

Unfortunately, only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar.

Accidental data exposure like these, may not get as many attention-grabbing headlines as ransomware attacks, but it is certainly still a cause for potential concern.  

Follow our Facebook and Twitter page for more contents and news.

Author

The WandMan Team

See author's posts

Tags :

The WandMan Team

View More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

MFA helped reduce Google account breaches by 50%

With the help of MFA, Google has cut account breaches by half and it is just the beginning. Security is a basic need in this digital world.

February 9, 2022 0 1 min read

EA suffers massive data breach, source code stolen

Electronic Arts has fallen prey to data theft involving gigabytes of private data stolen by hackers who breached their networks.

June 11, 2021 0 1 min read

McDonald’s suffers massive data breach in some regions

Fast-food giant McDonald’s Corp has fallen prey to a data breach after unauthorized activity was detected on its network.

June 12, 2021 0 1 min read

Secure your Google account with these steps

Google is the most popular tech platform in the world. Google services such as Search, Gmail, YouTube, Android, etc. are so easy and fun to use that they hold a sweet spot in our everyday tech life.

July 27, 2021 0 2 min read