- More than 1 billion CVS Health search records were accidentally posted online in a data breach incident in late March by an unnamed third party vendor.
- The records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications.
- Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.
- Fowler and the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st. Their findings uncovered CVS’ configuration settings and backend operations—information that could be used for phishing attacks if it were obtained by bad actors.
- Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.
- Fowler did not download the entire database due to ethical concerns. Because of this, it is unclear exactly how many CVS customers were impacted by the data breach.
– Jill McKeon | June 21, 2021