At a glance.
- A case of COVID-19 test registration data left unsecured.
- Data incident in Lubbock, Texas.
- Don't forget to patch.
Walgreens leaves COVID-19 test data unsecured.
Vox reports that a flaw in the COVID-19 test appointment registration site for US pharmacy chain Walgreens is exposing registrant data on the web. Upon completion of the registration form, each registrant is assigned a unique, 32-digit ID number which, along with their other registration data, is displayed on their appointment confirmation page. The problem is, that unique ID number is also part of the URL for the confirmation page, which can be accessed without a login or any other authentication. In other words, anyone could use the ID to determine the URL of a registrant’s confirmation page, which includes private data like name, date of birth, gender, and address, and remains active for at least six months.
Making matters worse, Walgreens allows third-parties like Adobe, Dotomi, Facebook, Google, and Monetate to track the confirmation pages for advertising purposes, meaning that if they chose, those companies could easily view a registrant’s private data. The issue was discovered in March by Alejandro Ruiz, a tech consultant whose family member had recently received a test at a Walgreens location. Ruiz and other tech experts agree that the mistakes that led to the exposure were avoidable. “The technical process that Walgreens deployed to protect people’s sensitive information was nearly nonexistent,” explained privacy researcher Zach Edwards, founder of analytics firm Victory Medium. The founder of Yale’s Privacy Lab Sean O’Brien added, “Just the sheer number of third-party trackers attached to the appointment system is a problem, before you consider the sloppy setup.”
Though Walgreens was notified of the problem, reports suggest that the issue has not yet been corrected. When asked for a response, Walgreens told Vox, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.”
A breach or not a breach?
The private court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The compromised records include non-disclosure orders, criminal cases, and civil and family law records, but EverythingLubbock.com notes there is some disagreement concerning how to define the incident. The Lubbock County Defense Lawyers Association categorized it as a data breach, but according to an official statement, the county disagrees: “This was not a data breech [sic], or an issue where the computer system was compromised.” The access portal has been temporarily blocked until the issue, however one might characterize it, can be resolved.
Patch your systems against privacy vulnerabilities.
And the most prominent of those this month is the zero-click issue Apple just addressed in its latest update. Toshihiro Koike, CEO of CSC, emailed some encouragement to greater diligence:
“The zero-click remote exploit targeting Apple products reveals how cyber criminals are constantly evolving and growing more sophisticated. Consumers need to be vigilant to detect any unusual activity, stay current and download software updates, and be aware that sometimes you can be victimized without any action on your part. Preventing a cyberattack is like preventing a home invasion: you must continuously update your security and educate the persons behind the walls.”