This post originally appeared on ZDNet, June 16, 2021.
On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protected and had no form of authentication in place to prevent unauthorized entry.
Upon examination of the database, the team found over one billion records that were connected to the US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna.
The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information -- such as whether visitors to the firm's domains used an iPhone or Android handset -- as well as what the team calls a "blueprint" of how the logging system operated from the backend.
Search records exposed also included queries for medications, COVID-19 vaccines, and a variety of CVS products, referencing both CVS Health and CVS.com.
"Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," the report states.
The researchers say the unsecured database could be used in targeted phishing by cross-referencing some of the emails also logged in the system -- likely through accidental search bar submission -- or for cross-referencing other actions. Competitors, too, may have been interested in the search query data generated and stored in the system.
WebsitePlanet sent a private disclosure notice to CVS Health and quickly received a response confirming the dataset belonged to the company.
CVS Health said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure.
"In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata," CVS Health told ZDNet. "We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter."
Cyberattacks are all around us… Does your company have a partner and a plan to regain access and functionality when a cybersecurity attack or other business disruption occurs? InfoSystems can help.
For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and artificial intelligence, from partners such as IBM, Dell Technologies, Red Hat, VMware and Cisco.