On Thursday, an online database belonging to CVS Health was discovered online. This was the result of another misconfigured cloud service, which can significantly impact security and lead to a massive data leak. The uncovered database was not password-protected and had no security defences in place to prevent access from unauthorised persons.
The database was comprised of over a billion records connected to CVS Health and contained event and configuration data. These also included production records of visitor IDs, session IDs, device access information and what type of phone was used on the firm’s domains. “While the data in itself isn’t very valuable, it does contain email address and some activity metadata which can pose a problem,” says Steven Hope, CEO and co-founder of Authlogics. “A ‘bad actor’ could easily launch a very legitimate looking phishing attack on those email addresses, made even more convincing by telling them the type of phone they have or what medication they last ordered etc. Phishing attacks are commonly used to trick people into giving away their passwords which is when the real trouble begins!”