The target: CVS, a U.S-based retailer and pharmacy company.
The take: Exposure of an estimated one billion records of information including: event and configuration data, visitor IDs, session IDs, device access information, a schematic of the logging system used by the website, and queries for medications including COVID-19 vaccines.
The attack vector: Misconfigured cloud service database, controlled by a third-party vendor, with no password protection or credential management, letting anyone with an internet connection download and access the data.
This breach highlights the risk of working with third-party vendors and the importance of regular auditing to ensure they are following best practice when handling data. The storage of sensitive information should follow industry standard practices be managed with proper credential deployment and security, no matter if a firm’s data is on their own servers or in the hands of another party.