Sensitive Walgreens customer data leaked, including COVID-19 test results

Recent security reports indicate that the results of COVID-19 tests conducted by the pharmaceutical company Walgreens could be exposed to threat actors. According to the report, the leak would include full names, dates of birth, gender, phone numbers and email addresses of millions of customers.

A spokesman for the pharmaceutical company denied such reports, saying that the protection of its users’ information is Walgreens’ top priority: “We have implemented a reliable security program in order to protect the confidential data of our patients.”

The spokesperson adds that the report revealing the leak is the product of an inaccurate assessment of the company’s security measures, specifically in the “COVID-19 Testing” section of its website.

Apparently, this potential leak is related to the company’s COVID-19 testing registration system; in this section of their website, customers sign up to request a test, receiving in response a 32-digit number as a patient ID. This key is included in the appointment request page, and anyone who has the URL can access that page.

The problem grows considering that these pages remain active for up to six months.

To be precise, these pages do not explicitly display all the information entered by users, although it is possible to access this data through the developer tool panel of any browser. It is also possible to access the name of the laboratory where the COVID-19 test was performed, which would allow threat actors to develop detailed profiles of some affected users.

In certain cases, a threat actor could create a bot to guess many of these patient IDs using brute force, performing ambitious information-gathering attacks to obtain a large amount of sensitive details in a short time.

Still, the company dismissed the risk by mentioning that the probability of guessing a patient ID through brute force is one in trillions, as this automatic system generates a unique 32-digit hexadecimal URL link. No attempts at attack have been detected in real scenarios, so at least for now the facts seem to support Walgreens’ position.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.