More than 1 billion customer records belonging to CVS Health Corp. have been found exposed online in the latest tale of unsecured cloud data storage.
On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protected and had no form of authentication in place to prevent unauthorized entry.
Key findings from the Data Leak
- The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend. Search records exposed also included queries for medications, COVID-19 vaccines, and a variety of CVS products, referencing both CVS Health and CVS.com.
- The data, at least according to CVS, were not customer account records but related to data entered by customers into the search bar on the company’s website though it’s strange that customers searching the CVS website would enter their emails.
- Flower noted, perhaps being overly generous, “it is a possible theory that visitors may have believed they were logging into their account but were really entering their email address into the search bar.”
- CVS also blamed a third-party vendor. “We were able to reach out to our vendor and they took immediate action to remove the database,” CVS said in a statement. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”
- Which cloud storage hosted the unsecured database was not disclosed.
Jasen Meece, chief executive officer of authorization and application security solutions provider Cloudentity Inc., told SiliconANGLE. “To prevent misconfigurations, organizations must implement identity and access management controls on their databases and all other resources within their network to ensure every point of entry is secured.”
Data leak of such nature exposes highlights the importance of protecting sensitive customer information as well as ensuring outside vendors have proper security measures in place.
Companies housing personal information for millions of customers need to reflect on their current password practices
Also ensure they are building the safest habits to protect their company and customers from cybercriminals.
To avoid such exposures include scanning your own cloud environments automatically to discover and lock down exposed resources under such circumstances.