Unprotected CVS database exposed sensitive customer searches

Researchers have discovered an unprotected, exposed online database with over a billion records belonging to American healthcare company CVS Health.

The discovery, made by researcher Jeremiah Fowler and the WebsitePlanet research team, happened in March 2021 and the database was secured the next day, after CVS Health was notified and they contacted the (unnamed) third-party vendor in charge of securing the database.

“CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was,” Fowler said.

What type of data was accessible?

It is still unknown whether someone other than the researchers previously found the exposed database and/or exfiltrated the data held within, but according to Fowler, the data – which includes searches made on CVS Health and CVS.com and some email addresses – could be used to identify some of the customers and target them with social engineering attacks (e.g., phishing).

“According to the CVS representative, these emails were not from CVS customer account records and were entered into the search bar by visitors themselves. The search bar captures and logs everything that is entered into the website’s search function and these records were stored as log files,” Fowler explained.

“The records also contained a ‘Visitor ID’ and ‘Session ID’. I saw multiple records that indicated visitors searching for a range of items including medications, Covid 19 vaccines, and other CVS products. Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails.”

Comments from the industry

Ami Luttwak, CTO and co-founder of Wiz, noted that this data exposure should not surprise anyone: “Although the cloud is much more secure, it brings new risks—with unintended cloud exposure the number one risk for cloud environments. Cloud security teams must actively search for unintended exposure, as it is the only way to prevent these incidents.”

Ray Canzanese, Director of Threat Research at Netskope, said that improperly configured security groups, network access control lists (NACLs), and firewall rules is a common type of exposure in IaaS providers like AWS, Azure, and GCP.

“We have recently performed a study of public exposure of compute infrastructure in IaaS environments across the three major IaaS providers that indicated >35% of compute instances expose at least one service to the Internet,” he told Help Net Security

“Things you can do to avoid such exposures include scanning your own cloud environments automatically to discover and lock down exposed resources. ZTNA products also provide a means to give employees secure access to cloud resources, whether they are hosted on-prem or in the cloud, without exposing them to the internet.”

David Pickett, senior cybersecurity analyst at AppRiver, notes that aside from protecting sensitive customer information, organizations must make sure that any third-party vendors who have been brought on to help with security and cloud migration have proper security measures in place.

“In this case, the database was not protected by a password and had no authentication requirements. Implementing two-factor authentication (2FA) or a multi-factor authentication (MFA) protection approach provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical,” he explained.

“Another component to be mindful of when working with third-party vendors that have access to company data is reviewing and understanding what the vendor agreement encompasses for security practices. These solutions will help to prevent companies from becoming another statistic in a long list of companies who have had data exposed online.”