Security researchers have revealed the discovery of an online database belonging to CVS Health which exposed over a billion records online. The database was not password-protection and had no form of authentication in place to prevent unauthorized entry. Upon examination of the database, the team found over one billion records that were connected to US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna. The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information — such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend.
<p>While this is not a classic “breach”, it is another example of a data leak. This time it was caused by storing files in the Cloud without any authentication being required to access them, so an “anonymous” person could easily get a copy. While the data in itself isn’t very valuable, it does contain email address and some activity metadata which can pose a problem. A “bad actor” could easily launch a very legitimate looking phishing attack on those email addresses, made even more convincing by telling them the type of phone they have or what medication they last ordered etc. Phishing attacks are commonly used to trick people into giving away their passwords which is when the real trouble begins!</p>
<p>This is a serious breach of huge amounts of sensitive data. The fact that the database was left passwordless will be of real concern and will be a prime focus for the review and investigation into why this happened. Whilst technology companies are continually seeking new ways of protecting data with passwordless technology, this exposure highlights having password protection is better than no protection.</p> <p> </p> <p>Given the vast array of sensitive data exposed, there are a number of ways in which this data could be exploited by attackers. In particular with phishing attacks continuing to increase this sensitive data could allow tailored phishing attacks on those within the breach. My advice for anyone potentially affected by the breach would be to stay alert and act as if your data has been compromised. Be alert to incoming texts, calls and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment.</p>
<p>Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations. These are solvable problems, and tools exist today to help.</p>
<p>Healthcare systems, entrusted with large amounts of information, must be hypervigilant in protecting all of the data they collect. Patient records, visitor sessions and logging information are all at risk. Leaving a database exposed without a password or authentication to prevent unauthorized entry is a surefire way to put this highly sensitive data in jeopardy. The complexity of cloud platforms means that without proper awareness of user access, any gap in security could leave the door open for cybercriminals to infiltrate. To ensure data remain secure, a governance platform with the ability to provide real-time updates within the cloud landscape is vital. With holistic visibility into complex deployments, user access, and security guardrails in place to identify and remediate potential misconfigurations, healthcare organizations can properly secure and protect their patients’ information.</p>