More than one billion records pertaining to customers at CVS have been exposed due to a misconfiguration error on the service’s cloud database. The database was left unprotected, without a password required to access the sensitive data. The leak was discovered by researcher Jeremiah Fowler, who determined the size of the data to be roughly 240GB. The security oversight resulted in a total of 1,100,000,000 records pertaining to CVS Pharmacy and Aetna being exposed. Information includes customers’ search histories detailing medications, visitor IDs, session IDs, and device information.
Personal data was also exposed in the snafu, leaving CVS customers vulnerable to sophisticated phishing attacks utilizing a combination of social engineering and the exposed medical information. Researchers stated that any threat actors that may have accessed the database could have obtained a clear understanding of the configuration settings, leading them to find where the data is stored. CVS Pharmacy was contacted on March 21 when the database was discovered. CVS allegedly acted swiftly to secure the database and prevent further access.
Read More: A Billion CVS Records Exposed