CVS accidentally leaks a billion user site records
CVS wasn’t in the wrong, just following industry practices
Cybersecurity researchers have chanced upon an unsecured database of healthcare and retail giant CVS that could have been used to identify customers.
According to security expert Jeremiah Fowler, the database measured over 200GB and contained over a billion records. The database contained a large number of searches on CVS.com and CVSHealth.com for medications and Covid-19 vaccines, and other items.
Surprisingly though, the database marked as “production” also housed a large number of email addresses.
- Shield yourself with these best identity theft protection services
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
“CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs,” Fowler noted.
CVS told Forbes that the database was looked after by a third-party vendor, and was quickly taken down after Fowler flagged the leak.
Incessant logging
Fowler noticed the email addresses from all the popular email service providers while perusing the database for personally identifiable information.
Mostly though, the database contained records that indicated visitors searching for a range of items.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
During his communication with CVS, Fowler learnt that the database was a dump of the queries entered into the search bar. Since most of the email addresses were entered on mobile devices, he fathoms that the app’s user interface misled users into entering their email address in the search bar thinking they were logging into their account.
Fowler believes the inadvertent collection of email addresses, highlights the risks of incessant activity logging.
“I recommended to CVS that in the future they should block any searches that match email address patterns or domain names from being executed or logged. This could help avoid unwanted data from being collected or stored,” Fowler suggests.
- Protect your devices with these best antivirus software
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.