CVS Health Faces Data Breach,1B Search Records Exposed

CVS Health Faces Data Breach,1B Search Records Exposed

  • More than 1 billion CVS Health search records were accidentally posted online in a data breach incident in late March by an unnamed third party vendor.
  • The records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications.
  • Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.
  • Fowler and the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st. Their findings uncovered CVS’ configuration settings and backend operations—information that could be used for phishing attacks if it were obtained by bad actors.
  • Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.
  • Fowler did not download the entire database due to ethical concerns. Because of this, it is unclear exactly how many CVS customers were impacted by the data breach.

– Jill McKeon | June 21, 2021