American healthcare company CVS is facing one of the biggest data breaches ever in the history of mankind.
More than 1 billion CVS Health search records were accidentally posted online in a data breach incident that happened in late March 2021, and an unnamed third-party vendor is to be blamed for this.
Misconfiguration in cloud database is the culprit
Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.
Speaking to Forbes, Fowler said that the records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications.
However, some people did enter their own email addresses in the search bar, likely mistaking the search bar for the place to enter login information.
It is possible that this data could be traced back to an individual customer.
Along with Fowler, the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st.
Their findings also uncovered CVS’s configuration settings and backend operations, information that could be used for phishing attacks if it were obtained by bad actors.
The search data obtained from the breach also contained the Session ID of the users including what they searched for or added to the shopping cart during that session.
Matching this along with the exposed email IDs, attackers can try to identify the customer.
Acknowledging this data leak, CVS Health in a public statement said,
In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata.
We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients
Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.
Unfortunately, only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar.
Accidental data exposure like these, may not get as many attention-grabbing headlines as ransomware attacks, but it is certainly still a cause for potential concern.