Popular pharmacy chain Walgreens is warning that a bug in its official mobile app may have exposed sensitive data, including customers’ full names and information on prescriptions for medications they are taking.
The security issue stemmed from an “error” in the personal secure messaging feature of Walgreens’ mobile app. The mobile messaging feature is a service for registered customers to receive SMS alerts for prescription refill notifications, deals and coupons. While Walgreens did not detail the technical glitch, it said that the internal application error enabled certain personal messages, stored in a database, to be viewed by other customers who were using the mobile app.
“As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to a Walgreens data security incident customer notification, filed with the Office of the Attorney General and published Friday. “We believe that you were part of the impacted customer group and that one or more personal messages containing your limited health-related information may have been viewed by another customer on the Walgreens mobile app between January 9, 2020 and January 15, 2020.”
That potentially exposed data includes first and last names of customers, their prescription numbers and drug names, store numbers that customers picked up prescriptions from, and shipping addresses. Walgreens said that financial information and Social Security numbers were not impacted.
After the issue was discovered on Jan. 15, “Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue,” according to the notice. “Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.”
Fausto Oliveira, principal security architect at Acceptto, said the incident looks like a typical example of a lack of proper testing.
“If the error conditions in the app had been properly tested, this type of issue should have been caught by the quality assurance department and never seen in production,” he told Threatpost. “It is unfortunate that often in the rush to go to market, shortcuts are taken and due-diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn’t this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user.”
Walgreens recommended that customers monitor their prescriptions and medical records. The company did not say how many customers were impacted, and how many actually accessed the exposed information (Threatpost has reached out for further comment). But the potential number of people impacted is vast based on Walgreens’ customer base . The company interacts with approximately 8 million customers in its stores and online each day, and filled 1.2 billion prescriptions on a 30-day adjusted basis in fiscal 2019, according to its website. And, the Walgreens mobile app on the Google Play app marketplace has more than 10 million downloads.
The fact that prescriptions were leaked “is worrying,” said Oliveira, since it discloses health conditions that may be used for malicious attacks like blackmailing. A bad actor who got his hands on this data, for instance, could threaten to make employers aware of victims’ conditions that they may not want to reveal.
“I think the offer from Walgreens to place the customers in several credit-card monitoring companies, is ineffective and does not help at all to address the concerns,” he told Threatpost. “If the information has been leaked, it is out there and credit-card monitoring companies cannot do anything to prevent the information from spreading. This is a situation where preventing this type of events from happening in the first place is the only cure.”
It’s not the first time that Walgreens has dealt with a security issue. In 2013, the company was hit with a $1.4 million penalty for a data breach after a pharmacist in a Walgreens store in Indianapolis inappropriately viewed and shared a woman’s prescription history.