Data is mostly log files, but some email addresses are mixed
More than a billion records generated from user visits to websites operated by pharmacy chain CVS were exposed online in an unsecured database — but don’t panic just yet.
The 1,148,327,940 database entries, totaling 204 GB of data, included user logs, the type of data that websites hold about their visitors. Most of those items were sluggish – “add to cart, configuration, dashboard, index-pattern, more refinement, order, remove from cart, search, server,” as said researcher Jeremiah Fowler in a blog post on the WebsitePlanet site today. (June 16).
- TurboTax Accounts Hacked — What To Do Now
- best identity theft protection services
- Plus: Apple Watch 7 can’t get blood-glucose monitoring
There was also slightly more sensitive information, such as randomly generated user IDs and session IDs, as well as whether the visitor was accessing the website from a smartphone or desktop computer. The data also showed what people searched for on various websites operated by CVS.
You are not able to bind the user ID to a particular individual, and CVS websites seem to be set up so that this is not the case.
Unfortunately, there were also many email addresses in the database, which should not have been there. It appears that some users typed their own email addresses into the search bar on CVS websites, particularly if they were accessing the sites from mobile phones.
“When reviewing the mobile version of the CVS site it is a possible theory that visitors may have believed they were logging into their account, but were actually entering their email address into the search bar,” Fowler said. wrote in his report.
“This may explain how many email addresses ended up in a database of product searches that were not intended to identify the visitor.”
Email addresses can be used to track people
Since the database was only available to Fowler and his fellow researchers for a short time, they could not see how many total email addresses were exposed.
Because many of those email addresses contain part or most of a person’s name, it would have been possible to match those email addresses to user IDs and then see what those individuals searched for and purchased on CVS websites. The database did not include any credit card or other financial information.
Spammers and scammers could also use those email addresses to target people, though it’s not clear how long the database was left unprotected online or whether someone stole data from it.
Fowler and his colleagues from the WebsitePlanet research team notified CVS parent company CVS Health on March 21, the day they found the database, and that CVS Health locked the database on the same day.
CVS Health told Fowler that the database was run by an unnamed third-party vendor.
“We were able to reach out to our vendor and they took immediate action to delete the database,” Fowler was quoted as saying by CVS Health. “Protecting the personal information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information from our customers, members or patients.”
CVS is much more than just drugstores
CVS is much more than just retail drugstores that began in New England and have spread across the United States over the past few decades. The parent company, CVS Health, also owns and operates a CVS Caremark prescription-drug management company, which your own company can use to fulfill prescriptions under your health plan.
If that’s not big enough, CVS Health also bought Aetna, a 200-year-old insurer, in 2018. The company now ranks fourth on the Fortune 500 list of the largest US companies by revenue, just behind Walmart, Amazon and Apple.
However, it looks like this data leak wasn’t CVS Health’s fault, as Fowler said in his blog post.
“Only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar,” Fowler wrote.
“We are not implying any wrongdoing by CVS Health, their contractors, or vendors. We are also not implying that customers, members, patients, or website visitors were at risk. The principles expressed here are based on the hypothetical probabilities of this data . Used.”