CVS, that glorious, bustling enterprise where the receipts extend beyond the reaches of man, has suffered a data leak of equally infinite proportion.
About a billion user records belonging to CVS Health, the parent company that owns the webbed network of florescent-lit hellscapes, were recently exposed to the internet—leaving email addresses, user IDs and customer metadata publicly visible online.
The data, which appears to have been collected from both cvs.com and cvshealth.com, represents typical website visitor logs—the kind routinely catalogued by companies to measure how consumers interact with their platforms.
Health owns not only the CVS Pharmacy chain but many other large healthcare firms, too, including insurance giant Aetna. Customers typically use Health’s domains to store their CVS account information and/or look up products and medicines.
The cloud database storing all that information, approximately 204-gigabytes of it, was left without a password—open and visible to the internet—for an undetermined period of time. The database was run by a third-party, whose identity CVS has not disclosed. The vulnerability was uncovered by Website Planet, which conducts research into unsecured internet data.
In addition to user email addresses, visitor and session IDs, and device information, the data includes metadata categories like “add to cart,” “order, “remove from cart,” and “search,” meaning that someone could fairly easily piece together a pretty intimate picture of the person using the website, what their health foibles and concerns are, and more.
“I saw multiple records that indicated visitors searching for a range of items including medications, Covid 19 vaccines, and other CVS products,” said Jeremy Fowler, of Website Planet. “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails.”
Yes, the potential ways cybercriminals could exploit this data for nefarious purposes are legion. The first thing that jumps to mind is phishing attacks but, in general, you never really want strangers on the internet to have intimate details of your health concerns.
CVS told Fowler that they had reached out to the third party, which “took immediate action to remove the database.” We have reached out to CVS Health for comment and will update this story if they get back to us.
DISCUSSION
Well there goes more of my information.
Thankfully the info they gave away wasnt something that my phone doesn’t already sell. “email addresses, visitor and session IDs, and device information, the data includes metadata categories like “add to cart,” “order, “remove from cart,” and “search,””.
I guess if i was ordering some embarrassing products I’d have a bigger issue with it, but this one doesn’t bug me at all. I hope they get punished for it though. Sounds like they got lucky that this didn’t contain even more sensitive data.