A dataset containing 1 billion data points from CVS customers, including searches for medications and COVID-19 vaccines made on CVS.com, was inadvertently posted online.
Cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to CVS Health on March 31. Fowler posted his findings on Website Planet.
The data consisted of searches for medications, COVID-19 vaccines, and other CVS products, Fowler reported. Some searches contained email addresses and “Visitor IDs” that could have matched searches with personal identifying information.
Fowler told Forbes he did not download the full dataset for ethical reasons, as he did not want to collect personal data. The researcher added CVS took down public access to the database within one day of Fowler notifying them.
CVS said in a statement to Forbes “an unnamed third party was responsible for controlling the information.”
“The bad part about this finding was just how big it was,” Fowler told Forbes in an interview. “In a small sampling of records there were emails from all major email providers.”
CVS did not immediately respond to Insider’s request for comment.
Europe’s leading privacy regulator is investigating whether Facebook broke the law in its handling of a leak of over 533 million people’s phone numbers and personal data.
Ireland’s Data Protection Commission, the body charged with overseeing Facebook’s privacy compliance in the European Union, announced it had opened an investigation into the social media giant on Wednesday. If Facebook is found to have violated the EU’s data rules, it could face a monetary fine of up to 4% of its $86 billion global revenue.
In a statement, the DPC said it believes EU data rules “may have been, and/or are being, infringed in relation to Facebook Users’ personal data.”
The personal data of over 533 million Facebook users were dumped online for free in a hacking forum earlier this month, Insider first reported. The data included phone numbers that users didn’t make public on their Facebook profiles, which were scraped by cybercriminals in violation of Facebook’s terms of service.
A Facebook spokesperson said in a statement to Insider that the company is “cooperating fully” with the investigation, adding that the DPC is probing a now-patched vulnerability in a Facebook tool that made it possible to gather information about a Facebook user by entering their phone number.
“We are cooperating fully with the IDPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place,” the spokesperson said.
Facebook also said it does not plan to notify the hundreds of millions affected by the data breach because it’s not confident that it has full knowledge of which users are affected, and because users can’t take steps to fix the issue given that the data has already been published online.
The DPC investigation comes on the heels of pressure from the European Commission. Justice commissioner Didier Reynders said on Monday that he had met with the DPC head Helen Dixon regarding the Facebook leak.
The EU investigation will probe whether Facebook had a legal obligation to notify users and European regulators when it found and fixed the vulnerability. The EU’s data privacy rules, known as GDPR, require such disclosures – but the GDPR only applies to data processed after 2018, and it’s not yet clear if the leaked Facebook data was scraped before the GDPR went into effect.
The DPC said that it has already started questioning Facebook about the data leak and that Facebook has “furnished a number of responses.”