Security researchers earlier this spring discovered a database containing more than a billion records, including emails that could be targeted in a phishing attack for social engineering.
The database, which was not password-protected, was flagged by the WebsitePlanet research team in cooperation with Jeremiah Fowler.
Public access to the data was restricted the same day that CVS Health was notified.
“In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata,” said CVS Health in a statement sent to Healthcare IT News.
“We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personally identifiable information of our customers, members or patients,” according to the statement.
“We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”
WHY IT MATTERS
According to CVS Health, the metadata did not contain any personally identifiable information.
However, the researchers noted that the records contained email addresses – which could conceivably identify a person’s first or last name. They pointed out, for example, that a Google search for some of the exposed email addresses enabled them to identify the email’s operator.
The records also contained a “visitor ID” and “session ID.”
“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” wrote Fowler in his blog post.
CVS Health did not respond to follow-up questions about this potential connection.
Fowler says CVS Health told him that the emails were not from customer account records. Rather, they were entered into the search bar, which captures and logs everything that is entered into the website’s search function, by visitors themselves – likely in a mistaken attempt to log in to their account using the wrong field.
“This could explain how so many email addresses ended up in a database of product searches that was not intended to identify the visitor,” said Fowler.
Fowler reiterated that email addresses for the visitor’s profile or shopping cart were not collected to this database, but that human error was at the heart of both the data exposure and the accidental email address search bar entry.
“The Visitor ID and Session ID alone contained no identifiable data and only when combined with the email addresses could there have been any remote possibility to identify the user,” he said.
Fowler also noted that any database exposure gives cyber criminals the opportunity to gain insight into potential vulnerabilities.
“We are not implying any wrongdoing by CVS Health, their contractors, or vendors. We are also not implying that customers, members, patients or website visitors were at risk. The theories expressed here are based on hypothetical possibilities of how this data could be used,” said Fowler.
THE LARGER TREND
Accidental data exposure may not get as many attention-grabbing headlines as ransomware attacks, but it is certainly still cause for potential concern.
Earlier this year, a Wyoming health department employee accidentally uploaded test results from more than a quarter of the state’s population to a public-facing website.
And in 2018, a Blue Cross employee uploaded a file containing member information for 16,000 people to a public-facing website. The data remained visible for three months.
ON THE RECORD
“Cyber criminals and nation states alike use complex methods to collect and exploit the data they find,” Fowler wrote. “Often they use the same methods as legitimate security researchers to identify publicly exposed data.
“While we work daily to protect the data we discover there are cyber criminals looking to exploit the data for nefarious purposes,” he added. “Each record of information serves as a puzzle piece to provide a larger picture of an organization’s network or data storage methods.”
Source: Read Full Article