Companies and organizations are acutely aware of cybersecurity threats and the consequences if anything should happen. So, for the most part, big companies invest lots of money to upgrade systems and install electronic barriers.
But one factor that these companies don’t always account for and cybercriminals count on is human error. You can have the most sophisticated system available, but if it’s misconfigured, you might as well turn it off.
Pharmacy giant CVS learned this the hard way this week, as over a billion customer records leaked onto the internet. This is the latest incident in a recent trend of exposing customer details.
Here’s the backstory
Security researchers uncovered a massive collection of CVS customer data stored in a non-password-protected database. Connected to CVS Health, the 204GB database contained 1.1 billion records that included customer email addresses, device IDs, what they ordered and what they have searched for.
The discovery, made by security researcher Jeremiah Fowler with the help of Website Planet, was reported to CVS on March 21, 2021. It turns out that a misconfigured data server is to blame, which allowed for public access to the records.
“CVS Health acted fast and professionally to secure the data. A member of their Information Security Team contacted me the following day and confirmed my findings. And that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was,” Fowler explained in a blog post.
Exposing your data
The pharmacy giant can be grateful that Fowler discovered the flaw and not a hacker or scammer. It could have ended so much worse for the company and all the customers involved.
Since Fowler alerted CVS, no customer data knowingly spilled onto the Dark Web or was used by cybercriminals. But Fowler stresses that in theory, that could have happened and it would have been devastating.
“It is always a race against the clock to help secure exposed data before exploitation or wiped out by ransomware. We were unable to review all 1.1 billion records due to the urgency we put into responsibly reporting this exposure and how fast the CVS vendor restricted public access,” he explained.
Fowler concluded by not implying any wrongdoing by CVS Health. He also stressed that customers or website visitors weren’t at risk. So, it seems for now if you are a CVS Health customer, your data is safe.
One thing to keep an eye out for is phishing emails related to this massive data leak. Since the database was exposed, in reality, someone with nefarious intentions could have popped into it to gather personal records, which they could use later for spear phishing attacks.
Even if that didn’t happen, cybercriminals could send spoofed emails pretending to be from CVS warning you about the data leak. The spoofed email would most likely contain malicious links or attachments that could infect your device with malware if opened. That’s why it’s best never to click links or open attachments from unsolicited messages.