CVS Health Data Breach

The WebsitePlanet research team with the support of Security Researcher Jeremiah Fowler revealed a non-password protected database of ‘CVS Health’ that contained over 1 billion records.

The CVS Health Database Contains the Following Details

  • Total Size: 204.0 GB
  • Total Records: 1,148,327,940
  • Production records that exposed Visitor ID, Session ID, device information (ie: iPhone, Android, iPad, etc.)
  • Data types: add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, server.
  • Sampling search query revealed emails that could be targeted in a phishing attack for social engineering.
  • Files gave a clear understanding of configuration settings, where data is stored, and a blueprint of how the logging service operates from the backend.

CVS Health Data Breach

The research team performed quite a lot of search queries for common email extensions such as Gmail, Hotmail, and Yahoo. Results for each query within the dataset indicated the records contained email addresses.

Many personal email addresses are formatted using portions or all of the user’s name and found a small sampling of individuals by simply searching Google for the publicly exposed email address.

Fowler said that the records also contained the data types Visitor ID and Session ID, indicating the items that visitors searched for, including medications, COVID-19 vaccines, and other CVS products. All of this data strung together could have created a snapshot of private details about individuals’ health.

He mentions in the adversary, “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,”

According to the CVS representative, the emails were not from CVS customer account records and were entered into the search bar by visitors themselves. The search bar captures and logs everything that is entered into the website’s search function and these records were stored as log files.

While reviewing the mobile version of the CVS, visitors may have assumed they were logging into their account but were entering their email address into the search bar.

Fowler added saying, “How so many email addresses ended up in a database of product searches that were not intended to identify the visitor?”. “The records also illustrate what device was used and a majority of the searches I saw were from phones and mobile devices, but there were also desktop computers”.

The team observed the activity logging that exposed all this information is a “necessary evil,” that can lead to the exposure of sensitive records. This activity logging and tracking can frequently contain metadata or error logs that unintentionally expose more sensitive records.

When a database is exposed, data about configuration, applications, software, operating systems and build information will be exposed: data that could identify potential vulnerabilities if they were unpatched or outdated.

CVS Health reaches out to their vendor and took immediate action to remove the database. Therefore the data breach highlights how something as simple as search logging and a misconfigured database could potentially capture and expose data.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.