Security News > 2021 > June > CVS Health Records for 1.1 Billion Customers Exposed

More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor - exposed, unprotected, online.

CVS Health is the parent company behind multiple household brands, including the CVS Pharmacy retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; and Aetna, a health insurance provider.

A CVS spokesperson confirmed the researchers' findings, saying that CVS Health had been notified of the exposure of a publicly accessible database that contained non-identifiable CVS Health metadata.

The records also exposed fields called Visitor ID, Session ID and device information, such as whether customers were using an iPhone, an Android, an iPad or a desktop PC. The team noted that by stringing together the data, they could reveal emails that could be targeted in a phishing attack, in social engineering, or "Potentially used to cross-reference other actions."

The records show what device customers used, with a majority of the searches coming from phones and mobile devices such as iPhones or Androids, as well as some searches coming from desktop computers.

The exposed search logs were from searches done on both CVS Health and CVS.com, and provided "Valuable analytical data to see what customers are looking for and if they are finding the products they want," the team said.

News URL

https://threatpost.com/cvs-health-records-billion-customers-exposed/167011/