Over a billion records belonging to CVS Health exposed online

Researchers discovered an unprotected database belonging to CVS Health that was exposed online containing over a billion records.

This week WebsitePlanet along with the researcher Jeremiah Fowler discovered an unsecured database, belonging to the US healthcare and pharmaceutical giant CVS Health, that was exposed online. The database was accessible to everyone without any type of authentication.

“On March 21st, 2021 the WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 1 billion records. Upon further research it was apparent that the data was connected to CVS Health.” reported the WebsitePlanet website.

The researchers responsible disclosed to CVS Health which promptly secured the archive the same day.

The content of the 204GB-database included a total of 1,148,327,940 records containing aggregate data and event data, production records that exposed visitor ID, session ID, and device information (ie: iPhone, Android, iPad etc.).

Some of the exposed records also include visitors’ queries for a broad range of terms, including medications, Covid 19 vaccines, and other CVS Health products. This info could be theoretically used to identify the customers.

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” continues the report.

Experts explained that sampling search query revealed emails that could be the target of social engineering attack or potentially used to cross reference other actions.

According to CVS Health, the unsecured database was managed by an unnamed third-party vendor.

“Thank you again for contacting us about this. We were able to reach out to our vendor and they took immediate action to remove the database. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.” reads a statement published by CVS Health.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.