Published: August 07, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Not to be outdone by the numerous breaches due to misconfigured cloud systems, another one recently occurred that left information of over one billion records exposed to the masses online. The victims are clients and patients of CVS Health (CVS), which includes the CVS pharmacies, as well as Aetna. Information leaked included session IDs, information on which device was used to access the company’s domains, as well as information about how the logging system worked.
The information, which consisted of 204 gigabytes of data was exposed on an unsecured database, which was managed by a third party for CVS. The data was not necessarily identifiable information, however, researchers said it could be cross-referenced to gain that information in theory. If that happens, it could be used for spear phishing attacks.
As a reminder, spear phishing attacks occur when specific details on the victims are used to get them to open up attachments or click links in email. This is opposed to the copious amount of generalized spam everyone receives in their inboxes every day. Those use more of a spray technique, where spear phishing uses true information gleaned about the targets which makes them more likely to fall victim to the attack.
This, of course, brings up the topic of avoiding all kinds of phishing:
Just don’t click links sent by unknown persons. That’s just asking for trouble.
Don’t click links or attachments you are not expecting to receive. If you think they might be OK, confirm in a separate message (not by replying), by text, phone call, or another way that it’s intentional.
Limit what you post on the Internet, specifically on social media or networking websites such as LinkedIn. Those are a treasure-trove of information for spear phishers.
As for businesses, it’s important to thoroughly vet your vendors, especially those who are responsible for protecting your sensitive or your customers’ sensitive data. Don’t be afraid to ask the difficult questions, such as how they are protecting it and what they plan to do if the data is breached. They should all have a plan in place and you’re entitled to feel comfortable with it.
The breach of the CVS data occurred in March of 2021. CVS has worked with the vendor to remove the database from access. Unfortunately, it’s a little too late.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org