Security researchers have discovered an online database belonging to CVS Health which exposed over a billion records online.
On March 21st, 2021 Website Planet research team in collaboration with independent cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database belonging to CVS health that contained over 1 billion records.
CVS Health, headquartered in Woonsocket, Rhode Island is an American healthcare firm that owns CVS Pharmacy, a retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; Aetna, a health insurance provider, among many other brands.
The database, which was approximately 204 gigabytes in size, contained event and configuration data including production records of visitor IDs, session IDs, customer email addresses, and customer searches on CVS Pharmacy websites for COVID-19 vaccines and other medications. The leaked database had no form of authentication in place to prevent unauthorized entry, Jeremiah Fowler stated.
"Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," Fowler wrote.
According to Website Planet, the leaked database could be used in targeted phishing by cross-referencing some of the emails also logged in the system -- likely through accidental search bar submission -- or for cross-referencing other actions. Competitors, too, may have been interested in the search query data generated and stored in the system.
WebsitePlanet sent a responsible disclosure notice to CVS Health and quickly received a response confirming the dataset belonged to the company. CVS Health said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.
"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata. We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter," CVS Health told ZDNet.