A leak in the Walgreens mobile app’s messaging service exposed
personal information – including what the company said was “limited health-related
data” – on a “small percentage” of customers who used the app between Jan. 9-15.
“Fortunately for consumers, the short exposure window of the
vulnerability and the specific conditions required should keep the impact of
this flaw to a minimum,” said Casey Ellis, CTO and founder at Bugcrowd.
In a notification
to potential victims filed with the California Attorney General’s Office, the
drugstore chain said the “information may have been viewed by another
customer on the Walgreens mobile app.”
Walgreens drew praise from James McQuiggan, security awareness advocate at KnowBe4, for its quick alert once the bug was discovered. “While it’s not favorable that personal identifiable information was leaked, Walgreens has taken the proper corrective actions to repair the mobile application and inform their customers,” he said.
McQuiggan urged organizations to create “a repeatable procedure for their incident response programs to ensure that information is communicated effectively within their departments and to customers.”
Among the data exposed were first
and last names, prescription numbers and drug names, store numbers and, in some
cases, shipping addresses.
While “consumers shouldn’t be too concerned that their personal
data got into the wrong hands as a result of this incident,” Ellis said, “the
medically sensitive nature of the app” and the types of messages that will
likely be sent through it, serve as “a good reminder to ‘build it like it’s
broken’ and ensure that software is continuously tested for vulnerabilities
that compromise consumer privacy.”
Robert Capps, vice president of market innovation for NuData Security, a Mastercard company, noted that with about 272 million mobile users in the U.S., “getting prescription drugs using apps is convenient and easy for patients.” That data, though, “is the lifeblood for cybercriminals, especially details of prescriptions, personal information and shipping addresses,” which they can use “to take over accounts the victims have with other online companies, hijack the medications or put in for fraudulent insurance claims,” or even create new accounts or lines of credit using victims’ information.
Because the leak included PII and potentially protected health information (PHI), Walgreens might find that it’s run afoul of regulations like HIPAA and CCPA and now possibly faces “costly penalties,” said Anurag Kahol.