Security News > 2021 > June > Unprotected CVS database exposed sensitive customer searches
Researchers have discovered an unprotected, exposed online database with over a billion records belonging to American healthcare company CVS Health.
The discovery, made by researcher Jeremiah Fowler and the WebsitePlanet research team, happened in March 2021 and the database was secured the next day, after CVS Health was notified and they contacted the third-party vendor in charge of securing the database.
It is still unknown whether someone other than the researchers previously found the exposed database and/or exfiltrated the data held within, but according to Fowler, the data - which includes searches made on CVS Health and CVS.com and some email addresses - could be used to identify some of the customers and target them with social engineering attacks.
"According to the CVS representative, these emails were not from CVS customer account records and were entered into the search bar by visitors themselves. The search bar captures and logs everything that is entered into the website's search function and these records were stored as log files," Fowler explained.
"The records also contained a 'Visitor ID' and 'Session ID'. I saw multiple records that indicated visitors searching for a range of items including medications, Covid 19 vaccines, and other CVS products. Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails."
David Pickett, senior cybersecurity analyst at AppRiver, notes that aside from protecting sensitive customer information, organizations must make sure that any third-party vendors who have been brought on to help with security and cloud migration have proper security measures in place.