IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CVS Health data breach leaves a billion records exposed

A misconfigured cloud service is the suspected cause of the exposure

CVS health sign on a white building

A misconfiguration in a CVS Health cloud database left over a billion records exposed, according to an investigation by WebsitePlanet in cooperation with security researcher Jeremiah Fowler. 

The roughly 240GB database was not password protected, meaning anyone who knew where to look could find the records held within.

A total of 1,148,327,940 records belonging to the US health care and pharmaceutical behemoth, which owns CVS Pharmacy and Aetna, were found. The database contained production records that exposed Visitor ID, Session ID, and device information (i.e., iPhone, Android, iPad, etc.). 

Worryingly, the files also gave threat actors a clear understanding of configuration settings, where data is stored, and a blueprint of how the logging service operates from the backend.

Researchers also found multiple records of visitors’ search histories, including medications, COVID-19 vaccines, and other CVS products.

"Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," researchers said.

The investigation also carried out a sampling search query that revealed emails hackers could target in a phishing attack or potentially use to cross-reference other actions.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

After discovering the unprotected database on March 21, the researchers immediately sent a responsible disclosure notice to CVS Health. The company restricted public access the same day.

In a statement, CVS Health said, “We were able to reach out to our vendor and they took immediate action to remove the database. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”

Paul Norris, a senior systems engineer at Tripwire, told ITPro that misconfigurations like these are becoming all too common

“Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet,” he said.

“Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations. These are solvable problems, and tools exist today to help."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022