- OpenAI, SoftBank, Oracle lead $500B Project Stargate to ramp up AI infra in the US
- 오픈AI, 700조원 규모 'AI 데이터센터' 프로젝트 착수··· 소프트뱅크·오라클 참여
- From Election Day to Inauguration: How Cybersecurity Safeguards Democracy | McAfee Blog
- The end of digital transformation, the rise of AI transformation
- 줌, '팀챗' 업데이트··· "사이드바 통해 업무 간소화"
A Billion CVS Records Exposed
More than a billion records were exposed after a misconfiguration error left a CVS Health cloud database without password protection.
The 240GB of unsecured data was discovered by WebsitePlanet and security researcher Jeremiah Fowler in a cooperative investigation.
Because of the security oversight by CVS Health, which owns CVS Pharmacy and Aetna, a total of 1,148,327,940 records were exposed.
Information that was left publicly accessible to anyone who knew how to look for it included customers’ search histories detailing their medications, and production records that exposed visitor ID, session ID, and device information (i.e., iPhone, Android, iPad, etc.).
Personal data was also exposed, with researchers noting that “a sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions.”
Researchers said that any threat actors who accessed the database could have gleaned a clear understanding of configuration settings, discovered where data is stored, and accessed a blueprint of how the logging service operates from the backend.
After encountering the unprotected database on March 21, researchers contacted CVS Health, which acted swiftly to restrict public access.
“We were able to reach out to our vendor and they took immediate action to remove the database,” said CVS Health. “Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone,” PJ Norris, senior systems engineer at Tripwire, told Infosecurity Magazine.
He continued: “A misconfigured database on an internal network might not be noticed, and if noticed, might not go public, but the stakes are higher when your data storage is directly connected to the internet. Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3.”
