What the CVS database leak teaches us about third-party vendor security and reputation management

Last month, CVS made headlines after a misconfigured cloud database left over 1 billion records exposed. Discovered by independent cybersecurity researcher Jeremiah Fowler months earlier, the records were accessible via a non-password protected database hosted by a third-party provider. CVS attributed the leak to human error, and acted swiftly to secure the database the day the issue was reported.

The records consisted of visitor and session IDs, device information, and event data. Some email addresses were also discovered, though CVS claims they were not customer account records and were entered into the search bar by visitors who mistakenly thought it was the account login field.

Fowler noted that it could have been possible to match a user’s session ID with what they searched for or added to the shopping cart during that session, and then try to identify the customer using the exposed emails, though there’s no evidence that a malicious actor did this successfully.

This incident is a great reminder that security practitioners are not only responsible for securing assets created in-house, but also those that are created and managed outside of the organization. Though the third-party was responsible for the misconfiguration error in this case, theirs isn’t the name that was tarnished. In fact, the third-party vendor remains anonymous. In headline after headline, CVS is taking the blame.

So, what lessons can we take away here? Well most obviously, ensure that all your assets are properly secured with passwords and authentication mechanisms. That may or may not be an easy task depending upon the number of internet-facing assets within your organization.

Unless you’re actively practicing attack surface management, you may not have a clear picture of what your perimeter looks like and the security status of individual assets. So if you haven’t already implemented a tool to continuously detect assets on your attack surface and monitor them for issues, now is the time to do so.

And finally, start holding your third-party vendors accountable for the security of their tools and services you use. If a security flaw causes a vendor to suffer a breach that exposes your data, it’s you that will be held responsible by the public. So, keep a close watch on the status of third-party services, and discontinue any business relationships that don’t satisfy your security standards.

Manage third-party asset security with TrustedSite’s attack surface management platform

TrustedSite can help you monitor the security of your third-party services and prevent a reputation-damaging breach with our comprehensive attack surface management platform. This platform includes our Website Monitoring service which allows you to easily see a list of all the third-party scripts utilized across your websites, and get notified whenever security issues arise. Schedule a free consultation to see how TrustedSite can help you manage third-party vendors.