A leak in the Walgreens mobile app’s messaging service exposed personal information – including what the company said was “limited health-related data” – on a “small percentage” of customers who used the app between Jan. 9-15.
“Fortunately for consumers, the short exposure window of the vulnerability and the specific conditions required should keep the impact of this flaw to a minimum,” said Casey Ellis, CTO and founder at Bugcrowd.
In a notification to potential victims filed with the California Attorney General’s Office, the drugstore chain said the “information may have been viewed by another customer on the Walgreens mobile app.”
Walgreens drew praise from James McQuiggan, security awareness advocate at KnowBe4, for its quick alert once the bug was discovered. “While it's not favorable that personal identifiable information was leaked, Walgreens has taken the proper corrective actions to repair the mobile application and inform their customers,” he said.
McQuiggan urged organizations to create “a repeatable procedure for their incident response programs to ensure that information is communicated effectively within their departments and to customers.”
Among the data exposed were first and last names, prescription numbers and drug names, store numbers and, in some cases, shipping addresses.
While “consumers shouldn’t be too concerned that their personal data got into the wrong hands as a result of this incident,” Ellis said, “the medically sensitive nature of the app” and the types of messages that will likely be sent through it, serve as “a good reminder to ‘build it like it’s broken’ and ensure that software is continuously tested for vulnerabilities that compromise consumer privacy.”
Robert Capps, vice president of market innovation for NuData Security, a Mastercard company, noted that with about 272 million mobile users in the U.S., “getting prescription drugs using apps is convenient and easy for patients.” That data, though, “is the lifeblood for cybercriminals, especially details of prescriptions, personal information and shipping addresses,” which they can use “to take over accounts the victims have with other online companies, hijack the medications or put in for fraudulent insurance claims,” or even create new accounts or lines of credit using victims’ information.
Because the leak included PII and potentially protected health information (PHI), Walgreens might find that it’s run afoul of regulations like HIPAA and CCPA and now possibly faces “costly penalties,” said Anurag Kahol.