Security researchers discovered a CVS database containing 1.1 billion records exposed online. The database did not require any form of authentication or access management security.
WebsitePlanet and security researcher Jeremiah Fowler originally discovered and reported on the leak. While the CVS database did not contain sensitive information, it did contain visitor IDs, session IDs, device information, email addresses, and search queries. Among these search queries on CVS.com and CVSHealth.com, customers sought information on medications and COVID-19 vaccines. The potential for abuse by phishers is obvious.
A third party was responsible for the dataset and the exposure; CVS immediately closed the database when informed of it by WebsitePlanet.
We consulted with cybersecurity experts on this data exposure. Here’s what they had to say.
CVS Database Containing Over 1 Billion Records Exposed
Jasen Meece is CEO of Cloudentity.
Unfortunately, this isn’t the first time a misconfiguration has exposed massive amounts of data online without any password protection or authentication controls in place. To prevent misconfigurations, organizations must implement identity and access management (IAM) controls on their databases and all other resources within their network to ensure every point of entry is secured. Additionally, they must follow a Zero Trust approach to confirm every user is continuously authorized based on context (who, what, where, when, etc.) before obtaining access to the system. Enabling these proactive measures can ensure all corporate and customer data is secure and safe from the hands of cyber-criminals.
David Pickett is a Senior Cybersecurity Analyst at Zix I AppRiver.
“The exposure of over a billion records belonging to CVS Health highlights the importance of protecting sensitive customer information as well as ensuring your organization and any third-party vendors who have been brought on to help with security and cloud migration have proper security measures in place. Companies that house personal information for millions of customers need to reflect on their current password practices and ensure they are building the safest habits to protect their companies and customers from cyber-criminals. In this case, the database was not protected by a password and had no authentication requirements. Implementing two-factor authentication (2FA) or a multi-factor authentication (MFA) protection approach provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cyber-criminals to breach even the most complex password, which is why implementing 2FA is critical. Another component to be mindful of when working with third-party vendors that have access to company data is reviewing and understanding what the vendor agreement encompasses for security practices. These solutions will help to prevent companies from becoming another statistic in a long list of companies who have had data exposed online.”
Pravin Rasiah is VP of Product of CloudSphere.
“Healthcare systems, entrusted with large amounts of information, must be hypervigilant in protecting all of the data they collect. Patient records, visitor sessions, and logging information are all at risk. Leaving a database exposed without a password or authentication to prevent unauthorized entry is a surefire way to put this highly sensitive data in jeopardy. The complexity of cloud platforms means that without proper awareness of user access, any gap in security could leave the door open for cyber-criminals to infiltrate. To ensure data remains secure, a governance platform with the ability to provide real-time updates within the cloud landscape is vital. With holistic visibility into complex deployments, user access, and security guardrails in place to identify and remediate potential misconfigurations, healthcare organizations can properly secure and protect their patients’ information.”
Thanks to these experts for their time and expertise on the CVS database exposure. For more on how to secure your enterprise, check out the Solutions Suggestion Engine or the Identity Management Buyer’s Guide.
- Identity Management Lessons from the UC San Diego Health Attack - July 28, 2021
- The Biggest IAM News Items During the First Half of 2021 - July 27, 2021
- When is it Time to Replace Your Homegrown Identity Management? - July 26, 2021