Researcher: 1 Billion CVS Health Website Records ExposedDatabase Contains Website Visitor Activity Logs, But Not Personal Information
The discovery of an unsecured database containing over 1 billion records related to CVS Health website visitor activity illustrates yet again how security missteps can potentially leave sensitive data exposed, some security experts say.
In a report issued Wednesday, security researcher Jeremiah Fowler, who worked on a study with a research team at IT services firm Website Planet, says the database linked to the main CVS Health website was likely unsecure because of a misconfiguration.
Woonsocket, Rhode Island-based CVS Health owns retail chain CVS Pharmacy, pharmacy benefits manager CVS Caremark and health insurer Aetna, among many other brands.
Fowler says he contacted CVS Health about his findings prior to the report's release, and the database was then quickly secured by a vendor that managed it for CVS.
The unsecured database contained records related to the activities of visitors to the company's website, including production records that exposed visitor ID, session ID and device information – such as iPhone, Android or iPad. It did not contain customers' directly identifiable personal or health information, such as names or prescription information.
The records also contained an unspecified number of email addresses of customers who appear to have inadvertently typed in their email addresses in the website's search bar.
"In a small sampling of records, there were email [addresses] from all major email providers," Fowler tells Information Security Media Group. "Even 0.01% of 1 billion is a pretty large hypothetical number."
Search Data Exposed
The exposed records also included visitor searches for a range of items, including medications, COVID-19 vaccines and other CVS products, as well as purchases added and removed from the site's shopping cart.
"Hypothetically, it could have been possible to match the session ID with what [individuals] searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," Fowler says.
"A sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross-reference other actions," he says. "The files gave a clear understanding of configuration settings, where data is stored and a blueprint of how the logging service operates from the backend."
The logging data contained in the exposed CVS Health database "is very common and companies store and collect this data to use as valuable analytics for what customers are searching for," Fowler tells ISMG.
"This can determine if they need to expand their offerings or know who is searching for what. This data could potentially be used to build user profiles for logged-in users."
Other security experts not involved with Fowler's research offer a similar assessment of the risks involved when email addresses and user search data are accessible on unsecured websites and databases or otherwise compromised.
"We've seen email addresses used for phishing campaigns or business email compromise attacks," says a spokeswoman for security consultancy Pondurance. "Having the information contained in a user's search history could enable attackers to craft very specific, targeted phishing emails."
CVS Health Responds
In response to the report, CVS Health tells ISMG: "In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata. We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members or patients.
"There was no risk to customers, members or patients, and we worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence, and we thank the researcher who notified us about this matter."
Symptoms of Larger Problems?
Some security experts say incidents involving misconfigured databases or unsecured websites are often symptoms of larger problems that leave organizations vulnerable to cyberattacks.
Andrew Jenkinson, group CEO of the security firm Cybersec Innovation Partners, notes that his company's own recent research found that often, healthcare sector entities that have been rated as having weak website security have been victims of cyberattacks.
"If the website is insecure, that means the server will also be, in the majority of cases," he says. "Where are databases stored? On the servers."
Limit Data Storage
To avoid exposing massive data troves, Fowler says it's critical for organizations to avoid storing data past its useful life cycle.
"CVS did a very good job by isolating their data, where many companies use one dataset for all of their information across the network," he says.
"I would tell any company dealing with sensitive data to isolate it by how sensitive the data is and to use encryption. Also monitor firewalls and outside access."