Walgreens disclosed a data leak in its mobile app, specifically in the messaging service, that consequently revealed users’ personal information such as first and last names, prescription names and numbers and shipping addresses. Given that the Walgreens Android app has over 10 million downloads and the pharmacy refilled nearly 1.2 billion prescriptions in 2019, this is a considerable security issue.
Walgreens Mobile App Leaks Prescription Data https://t.co/0NgvKOpqys #Mobile #Data #Leak #PII #Pharma #Security @threatpost
— The Governance Guru (@GovernanceGuru) March 2, 2020
With approximately 272 million mobile users in the US, getting prescription drugs using apps is convenient and easy for patients. However, that data is the life blood for cybercriminals especially details of prescriptions, personal information and shipping addresses. With this data, cybercriminals use it to take over accounts the victims have with other online companies, hijack the medications or put in for fraudulent insurance claims. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organizations with an online presence, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioral analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognizing customers’ online behavior instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behavior online, making stolen credentials valueless.
It is apparent that Walgreens takes protecting their customer\’s health information very seriously, as they seem to have taken the necessary actions to alert folks about the program bug discovered within their app. It seems that Walgreens discovered the bug and shortly after, could be an internal review of their code that alerted the necessary teams. Organizations need to have a repeatable procedure for their incident response programs to ensure that information is communicated effectively within their departments and to customers.
While it\’s not favorable that personal identifiable information was leaked, Walgreens has taken the proper corrective actions to repair the mobile application and inform their customers. People should monitor their Walgreen accounts and prescription information for any errors.
The Walgreens leak is just another example why mobile health access is so challenging, especially at scale. Securing sensitive information, particularly highly regulated information like Protected Health Information (PHI), is essential as healthcare is pushed to become mobile. Embedding fine-grained security platforms into new platforms enables highly targeted access management and monitoring, which ensures that healthcare providers can manage every piece of sensitive information, even as they grow across the digital ecosystem. Understanding how information can be accessed at the individual level minimizes the threat of information falling into the wrong hands – especially when managing large numbers of permitted users. In this case, users were able to view messages from other patients – risking fines and dramatically increasing the risk of insider threat abuse.
Walgreens and other large enterprises that are innovating at such rapid rates in order to establish themselves as major forces in new expanding markets like digital healthcare, must make cybersecurity a top priority. Unfortunately, this incident sounds like another situation where a product was rushed to market without appropriate security vetting. This is an all-too-common occurrence in today\’s fast moving enterprises, where security teams are often pulled in after launch, if at all.
Proper analysis of this messaging feature in the Walgreens app would probably have uncovered an unencrypted underlying database, as well as lack of authentication and authorization features critical to prohibiting data crossover of this sort. Lack of proper cyber hygiene has resulted in yet another embarrassing, and likely costly, security incident.
Fortunately for consumers, the short exposure window of the vulnerability and the specific conditions required should keep the impact of this flaw to a minimum. Consumers shouldn’t be too concerned that their personal data got into the wrong hands as a result of this incident. Regardless, given the medically sensitive nature of the app and the messages likely to be sent through it, this is a good reminder to “build it like it’s broken” and ensure that software is continuously tested for vulnerabilities that compromise consumer privacy. This is where the ethical hacking community comes in: they apply the same type of hacking creativity as an adversary, but help companies ensure the security of their software and hardware.