The target: Walgreens, a U.S based drug store and pharmacy chain.
The take: Millions of records of personally identifiable information including: name, date of birth, gender, phone number, address, email, and in some cases results from Covid-19 tests.
The attack vector: Walgreens failed to secure their test appointment registration system. When a user requests a test and fills out the online form with their personal info, they are given a unique 32-digit ID number and a link to their appointment request page. This URL has no authentication or credential control whatsoever. Anyone can use the link to view the personal information.
Security-by-obscurity is not a reliable method, or industry standard, way of securing personal data. Authentication and credential management are an essential strategies that should be taken into high consideration in every area where user information is accessed.