CVS hacked? More than a billion records maintained by CVS Health, which also owns the Aetna and CVS Pharmacy brands, have been exposed online. The leaked records show a large quantity of the search queries entered into the CVS.com and CVSHealth.com websites.
Users appear to have looked for medications, COVID-19 vaccines and other personal health-related items. Have hackers determined how to tie this meta-data information to specific individuals? Might hackers use it against people?Theoretically, it’s possible…
Pharmacy information exposed?
The CVS Health database in question is 204GB in size. It contained event and configuration information, from production records of visitor IDs, to session IDs, to information about how the logging system functioned from the backend.
Records exposed showed queries for medications, COVID-19 vaccines, information about CVS products and more. “Hypothetically, it could have been possible to match the Session ID with what they [users] searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” says a recent report on the issue.
In addition, some phone-based visitors to the CVS website may have perceived themselves as entering their email address, as to log into their accounts. In reality, they were entering their information into the search bar. This may help explain the volume of email addresses stored in search records.
However, the vast majority of exposed information did consist of fairly mundane material. For example, whether or not people removed an item from a cart, index-patterns, configuration data…etc. Would hackers even have a sense of how to use it?
Experts assert that cyber hackers have the capacity to leverage the information in the unsecured database for their own purposes. For example, hackers could cross-reference some of the product data and email addresses listed in the system, and use it to inform targeted phishing campaigns.
“Cyber criminals and Nation States alike use complex methods to collect and exploit the data they find. Often they use the same methods as legitimate security researchers to identify publicly exposed data,” stated cyber security researcher, Jeremiah Fowler, in a report.
Nonetheless, there is no direct risk to customers, according to the senior director of CVS corporate communications, Mike DeAngelis.
How did it happen?
According to experts, the CVS Health database lacked password protection. Identity access management methodologies were not in use and mechanisms did not exist to prevent unauthorized entry. In addition, a cloud-based misconfiguration issue may have functioned as a catalyst for the leak.
Who is to blame?
Upon discovery of the unsecured data set, a private disclosure notice was sent to CVS Health, and the company issued a response in a timely manner. The response noted that a third-party vendor was responsible for managing the database.
“We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter,” stated CVS.
According to a CVS spokesperson, technology professionals removed the database from the internet. CVS representatives did not comment regarding the email addresses disclosed within the database.
CVS health, more than a pharmacy
In 2018, CVS acquired Aetna. Therefore, the company now ranks as #4 on the Fortune 500 list of the largest American organizations as assessed by revenue. The company trails Walmart, Amazon and Apple. CVS Health also runs the CVS Caremark prescription pharmaceutical management company, which many health insurers rely on.
Some experts believe that, while CVS must shoulder the burden of this data breach, the incident was not really the company’s fault. A misconfiguration gets the blame. Over 90% of cloud-based data breaches occur due to human error.
CVS hacked: In summary
All in all, this data base exposure finding highlights the risks that come with certain types of meta-data collection. It also sheds light on how easily information can be obtained by threat actors and potentially used for criminal purposes. Competitors may also have interests in the meta-data that companies maintain and unintentionally expose.
In other words, competitors could use this data to determine which of their products they need to highlight in advertising efforts as to keep pace with CVS.
Can CVS maintain its position as a leader among retail pharmacies? Will CVS remain an attractive investor prospect despite the data breach? This type of breach can yield negative long-term repercussions for an organization. Therefore, for any organization, and especially those within the health sector, maintaining tight cyber security controls is key.
For more on this story, visit Forbes.