More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection.
The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation.
Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed.
Information that was left publicly accessible to anyone who knew how to look for it included customers’ search histories detailing their medications, and production records that exposed visitor ID, session ID, and device information (i.e., iPhone, Android, iPad, etc.).
Personal data was also exposed, with researchers noting that “a sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions.”
Researchers said that any threat actors who accessed the database could have gleaned a clear understanding of configuration settings, discovered where data is stored, and accessed a blueprint of how the logging service operates from the backend.
After encountering the unprotected database on March 21, researchers contacted CVS Health, which acted swiftly to restrict public access.
“We were able to reach out to our vendor and they took immediate action to remove the database,” said CVS Health. “Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone,” PJ Norris, senior systems engineer at Tripwire, told Infosecurity Magazine.
He continued: “A misconfigured database on an internal network might not be noticed, and if noticed, might not go public, but the stakes are higher when your data storage is directly connected to the internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3.”