More than 1 billion customer records belonging to CVS Health Corp. have been found exposed online in the latest tale of unsecured cloud data storage.

Discovered and publicized today by security researcher Jeremiah Flower working for WebsitePlanet, the nonpassword-protected database had no form of authentication and was exposed to all and sundry. The database included visitor ID, session ID, device information, email addresses and other details.

The data, at least according to CVS, were not customer account records but related to data entered by customers into the search bar on the company’s website — though it’s strange that customers searching the CVS website would enter their emails.

That said, Flower noted, perhaps being overly generous, “it is a possible theory that visitors may have believed they were logging into their account but were really entering their email address into the search bar.”

CVS also blamed a third-party vendor. “We were able to reach out to our vendor and they took immediate action to remove the database,” CVS said in a statement. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”

Which cloud storage hosted the unsecured database was not disclosed.

“Unfortunately, this isn’t the first time a misconfiguration has exposed massive amounts of data online without any password protection or authentication controls in place,” Jasen Meece, chief executive officer of authorization and application security solutions provider Cloudentity Inc., told SiliconANGLE. “To prevent misconfigurations, organizations must implement identity and access management controls on their databases and all other resources within their network to ensure every point of entry is secured.”

David Pickett, senior cybersecurity analyst at email security platform company Zix|AppRiver, noted that the exposure highlights the importance of protecting sensitive customer information as well as ensuring outside vendors have proper security measures in place.

“Companies that house personal information for millions of customers need to reflect on their current password practices and ensure they are building the safest habits to protect their company and customers from cybercriminals,” he said.

Ray Canzanese, threat research director at cloud security platform provider Netskope Inc., said the breach appears to have been an unprotected Elasticsearch server that was exposed to the internet.”

“Improperly configured security groups, network access control lists and firewall rules are a common type of exposure in infrastructure-as-a-service providers like AWS, Azure and GCP,”  Canzanese said. “Things you can do to avoid such exposures include scanning your own cloud environments automatically to discover and lock down exposed resources.”

Photo: CVS Health