CVS Data Breach: Accidental Leak of 1B Records

Sonrai - Technology background with icons

The number of major corporations experiencing crippling security breaches is on the rise. Recent data breach statistics show how highly motivated bad actors are to acquire as much information from large enterprises as possible. Personal data is very valuable on the black market. It is also obvious that companies still are not adequately prepared to handle breaches as CVS experienced a data breach this week.

Research into the CVS Health breach revealed that a non-password-protected database with over one billion confidential records was compromised. Upon disclosure, CVS Health revoked public access immediately. The company confirmed that the database was managed by a third-party vendor. However, the identity of the vendor was not revealed.

CVS Health is a healthcare company that owns the retail pharmacy chain, CVS Pharmacy, the pharmacy benefits manager, CVS Caremark, and the health insurance provider, Aetna, as well as several other brands. This amounts to a 204GB database containing a wide range of information, including personal use records displaying visitor ID, session info, and the device used. The hackers were even able to see whether the user accessed the site using an iPad, iPhone, or Android.

According to security researchers, “Exposed files also gave a clear understanding of configuration settings, where the data is stored, and a blueprint of how the logging service operates from the backend.”

The records also revealed the user’s search queries, indicating that a large number of searches were for medications, COVID vaccines, and various other products sold by CVS companies. Surprisingly, even customer email addresses were exposed. CVS maintained the addresses did not come from customer account records but were voluntarily entered into the search bar by the user. A review of the CVS mobile site suggested that visitors may have entered their email address believing they were logging into their account.

The cause of the breach was determined to be an exposed database through a third party provider. This particular database was completely unencrypted, not even a password to protect its contents. After discovering the breach a third-party service contacted the company and the database was corrected immediately.

This seems to be a case of a simple misconfiguration. Database misconfigurations are a common cause of data breaches in today’s world. Data security is a serious business and dealing with records as sensitive as the ones in this breach requires careful planning.

Many breaches in the healthcare industry can be blamed on misconfigured databases, servers, and other problems in the IT department. Some misconfiguration-related breaches have resulted in the exposure of massive amounts of data.

“Misconfigurations often go unnoticed in most cloud environments, until a data breach occurs,” said Eric Kedrosky, Director of Cloud Security Research and CISO at Sonrai Security. “To reduce the risks of misconfigurations, companies should know where their data resides, and its importance, and apply security best practices and frameworks to protect it. There should also be continuous monitoring for deviations from these best practices and alerts generated, and triaged to the appropriate places, when they occur. In this case, the issues would have been detected immediately, and if the right steps were taken, this data breach of over one billion records could have been avoided from EVER happening. [in the first place.]” .

Companies should always encrypt and password-protect their databases and/or storage containers. Protocols and contingencies need to be put in place to safeguard the data in the event of an accident or configuration error occurring. Common accidents are backing up data and restoring it, and forgetting to password protect the new data set. Accidentally leaking a private database to a public cloud. Not securing individual access to certain secure buckets. These all factor into the realm of human error and human error while preventable can be mitigated.

Monitoring access of authorized and unauthorized identities, educating employees, and following careful procedures when working in the cloud, and procuring proper services and tools are all steps that can be taken to reduce the risk of a data breach. Always find the right tools to help protect your environment. This misconfiguration can be prevented and our technical experts can help explain steps you can take today to prevent this error from happening to your organization.

Read more about the CVS data breach on Forbes.