More than 1B CVS records exposed in March 2021

The email addresses and device information of people who visited the CVS website were visible on the public database

More than 1 billion records connected to CVS Health were visible a non-password-protected database in March, new research shows.

Researchers contacted CVS Health upon the discovery, and the retail giant restricted public access to the database the next day, according to a new report from WebsitePlanet, a website-building resource and research platform.

VOLKSWAGEN, AUDI SAY 3.3M CUSTOMERS' DATA EXPOSED IN NORTH AMERICA

"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata," Mike DeAngelis, senior director of CVS corporate communications, told FOX Business. "We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients."

DeAngelis continued: "As the researcher’s report indicates, there was no risk to customers, members or patients, and we worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter."

Staff works in the pharmacy at the new CVS Pharmacy on May 30, 2017 in Parker, Colorado. (Photo by RJ Sangosti/The Denver Post via Getty Images)

The email addresses and device information of people who visited the CVS website were visible on the public database, Website Planet found in its research first reported by Forbes. Users entered their email addresses to use the website's search function, making them identifiable users. 

"CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs," researcher Jeremiah Fowler wrote in his report, adding that the name of the contractor or vendor who managed the dataset was confidential. 

MCDONALD'S BECOMES LATEST CYBERCRIME VICTIM: WHAT'S GOING ON?

Fowler was able to identify a small sample of exposed CVS Health users by conducting a Google search of their email addresses listed in the database.

The bigger picture, according to Fowler, is that with any exposed database, "there is a possibility to see configuration, applications, software, operating systems, and build information that could identify potential vulnerabilities if they were unpatched or outdated."

CLICK HERE TO READ MORE ON FOX BUSINESS

"Cyber criminals and Nation States alike use complex methods to collect and exploit the data they find. Often they use the same methods as legitimate security researchers to identify publicly exposed data," he wrote in his report. "While we work daily to protect the data we discover there are cyber criminals looking to exploit the data for nefarious purposes."

Fowler added that WebsitePlanet is not implying any wrongdoing on CVS' part or that customers were put at risk; rather, his research is meant to highlight how exposed databases like the one he discovered could be used by threat actors.