Over a billion records belonging to CVS Health exposed online

Researchers discovered an unprotected database belonging to CVS Health that was exposed online containing over a billion records.

This week WebsitePlanet along with the researcher Jeremiah Fowler discovered an unsecured database, belonging to the US healthcare and pharmaceutical giant CVS Health, that was exposed online. The database was accessible to everyone without any type of authentication.

“On March 21st, 2021 the WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 1 billion records. Upon further research it was apparent that the data was connected to CVS Health.” reported the WebsitePlanet website.

The researchers responsible disclosed to CVS Health which promptly secured the archive the same day.

The content of the 204GB-database included a total of 1,148,327,940 records containing aggregate data and event data, production records that exposed visitor ID, session ID, and device information (ie: iPhone, Android, iPad etc.).

Some of the exposed records also include visitors’ queries for a broad range of terms, including medications, Covid 19 vaccines, and other CVS Health products. This info could be theoretically used to identify the customers.

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” continues the report. 

Experts explained that sampling search query revealed emails that could be the target of social engineering attack or potentially used to cross reference other actions.

According to CVS Health, the unsecured database was managed by an unnamed third-party vendor. 

“Thank you again for contacting us about this. We were able to reach out to our vendor and they took immediate action to remove the database. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.” reads a statement published by CVS Health.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]