CVS has accidentally leaked information in an unsecured database that contained more than 1 billion data points, including searches on CVS.com and CVSHealth.com for COVID-19 vaccines.
The accidental leak was reported by Forbes and is based on findings from an independent cybersecurity researcher, Jeremiah Fowler, whose findings were provided to Forbes by Website Informer.
“The bad part about this finding was just how big it was,” Fowler told Forbes. “The number of records would time-out or break my browsing tool when I tried to get a total number of emails. In a small sampling of records there were emails from all major email providers.”
A CVS spokesperson says the company took down the database, which it says was inadvertently disclosed. The company didn’t comment to Forbes on the email addresses disclosed in the database.
“Organizations collect this valuable data and use this information for analytics, customer management or marketing needs,” Fowler told Forbes. “At the same time, consumers want privacy and to have more control over their data and how companies or social media providers use that data. Users also need to feel like the company they are doing business with is taking proper data security measures to protect their data and personal privacy.”
A CVS spokesperson said a security researcher notified the company in March about a publicly accessible database that contained non-identifiable CVS Health metadata.
“We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members or patients,” the spokesperson said. “We worked with the vendor to quickly take the database down.
“We’ve addressed the issue with the vendor to prevent a recurrence, and we thank the researcher who notified us about this matter.”
About the Author
