CVS, that glorious, bustling enterprise where the receipts extend beyond the reaches of man, has suffered a data leak of equally infinite proportion.
About a billion user records belonging to CVS Health, the parent company that owns the webbed network of florescent-lit hellscapes, were recently exposed to the internet—leaving email addresses, user IDs and customer metadata publicly visible online.
The data, which appears to have been collected from both cvs.com and cvshealth.com, represents typical website visitor logs—the kind routinely catalogued by companies to measure how consumers interact with their platforms.
Health owns not only the CVS Pharmacy chain but many other large healthcare firms, too, including insurance giant Aetna. Customers typically use Health’s domains to store their CVS account information and/or look up products and medicines.
The cloud database storing all that information, approximately 204-gigabytes of it, was left without a password—open and visible to the internet—for an undetermined period of time. The database was run by a third-party, whose identity CVS has not disclosed. The vulnerability was uncovered by Website Planet, which conducts research into unsecured internet data.
In addition to user email addresses, visitor and session IDs, and device information, the data includes metadata categories like “add to cart,” “order, “remove from cart,” and “search,” meaning that someone could fairly easily piece together a pretty intimate picture of the person using the website, what their health foibles and concerns are, and more.
“I saw multiple records that indicated visitors searching for a range of items including medications, Covid 19 vaccines, and other CVS products,” said Jeremy Fowler, of Website Planet. “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails.”
Yes, the potential ways cybercriminals could exploit this data for nefarious purposes are legion. The first thing that jumps to mind is phishing attacks but, in general, you never really want strangers on the internet to have intimate details of your health concerns.
CVS told Fowler that they had reached out to the third party, which “took immediate action to remove the database.” We have reached out to CVS Health for comment and will update this story if they get back to us.