CVS inadvertently leaked a database containing 1 billion data points, including searches for medications and COVID-19 vaccines

cvs pandemic customers store
A cybersecurity researcher discovered a CVS database containing 1 billion data points, including searches for COVID-19 vaccines and medications.

  • In March, a cybersecurity researcher discovered a CVS database including 1 billion data points.
  • It contained searches for COVID-19 vaccines and medications, the researcher said on Website Planet.
  • Researcher Jeremiah Fowler told Forbes CVS took the data set down within one day of him notifying the firm.
  • See more stories on Insider’s business page.

A dataset containing 1 billion data points from CVS customers, including searches for medications and COVID-19 vaccines made on CVS.com, was inadvertently posted online.

Cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to CVS Health on March 31. Fowler posted his findings on Website Planet.

The data consisted of searches for medications, COVID-19 vaccines, and other CVS products, Fowler reported. Some searches contained email addresses and “Visitor IDs” that could have matched searches with personal identifying information.

Read more: How DNA-testing startup Helix became one of the nation’s leading coronavirus tracking labs

Fowler told Forbes he did not download the full dataset for ethical reasons, as he did not want to collect personal data. The researcher added CVS took down public access to the database within one day of Fowler notifying them.

CVS said in a statement to Forbes “an unnamed third party was responsible for controlling the information.”

“The bad part about this finding was just how big it was,” Fowler told Forbes in an interview. “In a small sampling of records there were emails from all major email providers.”

CVS did not immediately respond to Insider’s request for comment.

Read the original article on Business Insider

Facebook is under investigation in the EU for its massive leak of 533 million people’s data –¬†and it could face a fine in the billions

facebook mark zuckerberg
Facebook CEO Mark Zuckerberg appears before a House Financial Services Committee hearing on Capitol Hill in Washington, Wednesday, Oct. 23, 2019.

  • A European regulator announced that it’s investigating Facebook over a leak of 533 million people’s data.
  • Ireland’s Data Protection Commission will probe whether Facebook broke EU privacy laws.
  • Facebook could face a fine of up to 4% of its $86 billion global revenue if found responsible.
  • See more stories on Insider’s business page.

Europe’s leading privacy regulator is investigating whether Facebook broke the law in its handling of a leak of over 533 million people’s phone numbers and personal data.

Ireland’s Data Protection Commission, the body charged with overseeing Facebook’s privacy compliance in the European Union, announced it had opened an investigation into the social media giant on Wednesday. If Facebook is found to have violated the EU’s data rules, it could face a monetary fine of up to 4% of its $86 billion global revenue.

In a statement, the DPC said it believes EU data rules “may have been, and/or are being, infringed in relation to Facebook Users’ personal data.”

The personal data of over 533 million Facebook users were dumped online for free in a hacking forum earlier this month, Insider first reported. The data included phone numbers that users didn’t make public on their Facebook profiles, which were scraped by cybercriminals in violation of Facebook’s terms of service.

A Facebook spokesperson said in a statement to Insider that the company is “cooperating fully” with the investigation, adding that the DPC is probing a now-patched vulnerability in a Facebook tool that made it possible to gather information about a Facebook user by entering their phone number.

“We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place,” the spokesperson said.

When news of the leak first broke, Facebook said the data was scraped due to a vulnerability that the company patched in 2019, and downplayed the issue as “previously reported” – but the company never publicly addressed the vulnerability in detail until the data dump this month.

Facebook also said it does not plan to notify the hundreds of millions affected by the data breach because it’s not confident that it has full knowledge of which users are affected, and because users can’t take steps to fix the issue given that the data has already been published online.

The DPC investigation comes on the heels of pressure from the European Commission. Justice commissioner Didier Reynders said on Monday that he had met with the DPC head Helen Dixon regarding the Facebook leak.

The EU investigation will probe whether Facebook had a legal obligation to notify users and European regulators when it found and fixed the vulnerability. The EU’s data privacy rules, known as GDPR, require such disclosures – but the GDPR only applies to data processed after 2018, and it’s not yet clear if the leaked Facebook data was scraped before the GDPR went into effect.

The DPC said that it has already started questioning Facebook about the data leak and that Facebook has “furnished a number of responses.”

Read the original article on Business Insider