Over a billion documents belonging to CVS Health were exposed online. This is another example of how a misconfigured cloud service can impact security.
Cybersecurity researcher Jeremiah Fowler and WebsitePlanet team reported they discovered a massive database belonging to health care giant CVS Health that was publicly exposing sensitive records.
The database was not secure and had no form of authentication to prevent unauthorized entry. The team found over a billion records related to the company exposed to anyone online.
The 204GB of the database contained details about the firm’s visitors and devices – IDs, session IDs, device access information, as well as how its logging system operated on he backend. Search records for COVID-19 vaccines and other products were also exposed.
The report states that it could have been possible for an attacker to match the Session ID with the shopping cart’s search terms and identity the shopper:
“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” the report states.
The researchers said the database could be used to send phishing emails by cross-referencing the emails that were also logged in.
WebsitePlanet sent a private notice to CVS Health informing them of the unauthorized access to their data.
CVS Health said the database was managed on behalf of an unnamed vendor, and public access was restricted after disclosure:
“In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata,” CVS Health told ZDNet. “We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”