Report: CVS Health Exposed Search Records Online
On March 21st, 2021 theWebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 1 billion records. Upon further research it was apparent that the data was connected to CVS Health. We immediately sent a responsible disclosure notice to CVS Health and public access was restricted the same day.
CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs. I was informed that this was a contractor or vendor who managed this dataset on behalf of CVS Health, but it was confidential as to who the vendor was.
The exposed records were marked “production”. When searching for potentially identifiable information we performed several search queries for common email extensions such as Gmail, Hotmail, and Yahoo. There were results for each query within the dataset that indicated the records contained email addresses. It is well known that many personal email addresses are formatted using portions or all of the user’s name. In addition, I was able to identify a small sampling of individuals by simply searching Google for the publicly exposed email address.
The records also contained a “Visitor ID” and “Session ID”. I saw multiple records that indicated visitors searching for a range of items including medications, Covid 19 vaccines, and other CVS products. Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails.
