"CVS Health Records for 1.1 Billion Customers Exposed"

Security researchers at WebsitePlanet found the non-password-protected database, which had no form of authentication in place to prevent unauthorized entry, on March 21. The database contained information about CVS Health customers. The researchers stated that the database included enough information to derive customers’ PII. The total size of the database was 204 GB, according to the researchers. It held 1.1 billion records, or, to be precise, 1,148,327,940 files. They were labeled “production” and included information typed into search bars, such as the data types add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, and server. The records also exposed fields called Visitor ID, Session ID, and device information, such as whether customers were using an iPhone, an Android, an iPad, or a desktop PC. The team noted that by stringing together the data, they could reveal emails that could be targeted in a phishing attack, in social engineering, or “potentially used to cross-reference other actions.” The researchers believe that the database was left open due to human error. The researchers stated that this instance is probably yet another incidence of rampant misconfiguration that is plaguing cloud-based storage, leading to exposure of sensitive data on an internal network. After the researchers contacted CVS Health, the naked database was closed off from public view.

Threatpost reports: "CVS Health Records for 1.1 Billion Customers Exposed"