A Billion CVS Records Exposed

More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection.

The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation. 

Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed.

Information that was left publicly accessible to anyone who knew how to look for it included customers' search histories detailing their medications, and production records that exposed visitor ID, session ID, and device information (i.e., iPhone, Android, iPad, etc.). 

Personal data was also exposed, with researchers noting that "a sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions."

Researchers said that any threat actors who accessed the database could have gleaned a clear understanding of configuration settings, discovered where data is stored, and accessed a blueprint of how the logging service operates from the backend.

After encountering the unprotected database on March 21, researchers contacted CVS Health, which acted swiftly to restrict public access.

“We were able to reach out to our vendor and they took immediate action to remove the database," said CVS Health. "Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”< ..

Support the originator by clicking the read the rest link below.