One billion website records exposed in CVS data leak — but here's why you shouldn't worry

1. Home
2. News
3. Security

Ane billion website records exposed in CVS information leak — only here's why you shouldn't worry

(Image credit: QualityHD/Shutterstock)

More than a billion records generated by user visits to websites operated by pharmacy chain CVS were exposed online in an unprotected database — but don't panic simply yet.

The ane,148,327,940 database entries, totaling 204 GB of data, consisted of user logs, the type of data that websites keep about their visitors. Most of those items were dull — "add to cart, configuration, dashboard, index-pattern, more than refinements, order, remove from cart, search, server," every bit stated by researcher Jeremiah Fowler in a weblog post on the WebsitePlanet site today (June sixteen).

• TurboTax accounts hacked — what to do now
• The best identity theft protection services
• Plus: Apple tree Spotter vii may non get blood-glucose monitoring

At that place was slightly more sensitive information besides, such as randomly generated user IDs and session IDs, plus whether the visitor was accessing the website from a smartphone or a desktop calculator. The data likewise showed what people searched for on the various CVS-run websites.

Yous're not supposed to be able to tie the user IDs to any particular individuals, and the CVS websites appear to be set upwards and then that doesn't happen.

Unfortunately, the database besides contained a number of email addresses, which weren't supposed to be there. It appears that some users typed their own email addresses into search bars on the CVS websites, especially if they were accessing the sites from a mobile telephone.

"When reviewing the mobile version of the CVS site information technology is a possible theory that visitors may have believed they were logging into their account, but were really entering their email address into the search bar," Fowler wrote in his report.

"This could explain how so many email addresses concluded up in a database of product searches that was not intended to place the visitor."

Email addresses can exist used to rail people

As the database was bachelor to Fowler and his fellow researchers for but a short flow of time, they couldn't see how many email addresses in total were exposed.

Because many of those email addresses contained function or most of a person'south proper noun, it would take been possible to friction match those email addresses to user IDs so come across what those individuals searched for and purchased on the CVS websites. No credit cards or other fiscal information was included in the database.

Spammers and scammers could also have used those email addresses to target people, although it'south not clear how long the database was left unprotected online or whether anyone stole information from it.

Fowler and his colleagues from the WebsitePlanet research team notified CVS parent company CVS Health on March 21, the twenty-four hour period they constitute the database, and CVS Health locked down the database the same twenty-four hour period.

CVS Health told Fowler the database was run by an unnamed third-party vendor.

"We were able to achieve out to our vendor and they took immediate action to remove the database," Fowler quotes CVS Health as stating. "Protecting the individual data of our customers and our company is a high priority, and it is of import to note that the database did not comprise any personal information of our customers, members or patients."

CVS is much more than but drugstores

CVS is a lot more than only the retail drugstores that started in New England and take spread across the U.s. in the past couple of decades. The parent company, CVS Health, likewise owns and operated the CVS Caremark prescription-drug management visitor, which your ain company may utilise to fulfill prescriptions nether its wellness programme.

If that'southward not big enough, CVS Health also bought the 200-twelvemonth-old insurance behemothic Aetna in 2018. The company now ranks fourth in the Fortune 500 listing of the largest American companies by revenue, right afterward Walmart, Amazon and Apple tree.

Still, it seems like this data leak wasn't CVS Health's fault, every bit Fowler said in his blog post.

"Simply human fault tin be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar," Fowler wrote.

"We are not implying any wrongdoing by CVS Health, their contractors, or vendors. We are besides not implying that customers, members, patients or website visitors were at risk. The theories expressed hither are based on hypothetical possibilities of how this data could be used."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-booty driver, code monkey and video editor. He's been rooting effectually in the information-security infinite for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random Television news spots and even chastened a panel give-and-take at the CEDIA home-technology conference. Yous can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/cvs-data-leak-1-billion-records

Posted by: gilmandulaying78.blogspot.com

Share this post