Lax web security results in WebMD, CVS, Trump donor data leaks

Six months ago, the European Union’s General Data Protection Regulation, or GDPR, took effect, threatening companies worldwide with massive fines if they didn’t look after customer data properly. Fresh research suggests it’s making a difference in Europe -- but not so much for U.S. web users.

The personal information of American charity donors, political party supporters, and online shoppers, has continued to quietly leak onto the internet as a result of poor website security practices, new research shows. As many as one in five e-commerce sites in the U.S. are still leaving their customers exposed, Philadelphia-based search marketing company Seer Interactive said Monday.

"If you were one of the 50 largest e-commerce sites you’d think you’d have this under wraps, and that’s the most troubling thing," said Adam Melson, a director at Seer.

CVS storefront
Pedestrians walk past a CVS Health Corp. store in Chicago, Illinois, U.S., on Sunday, Nov. 6, 2016. CVS Health Corp. is scheduled to release earnings figured on November 8. Photographer: Christopher Dilts/Bloomberg
Christopher Dilts/Bloomberg

Using simple Google searches, similar to methods examined by Seer, Bloomberg was able to access sensitive user information from a wide range of randomly chosen U.S. websites. In one instance, the website of St. Jude Children’s Research Hospital had made public the receipt for a donation of hundreds of dollars, including the donor’s full name and address, their method and date of payment, and their email. Bloomberg was able to find similar data in PDF format relating to purchases of sporting goods at the Pine Hills Golf Club in Ohio, which included full names, home addresses and email details, as well as reference numbers for the person’s purchase.

In another instance, email addresses associated with subscriptions to newsletters about cancer and HIV could be found by Bloomberg on WebMD Health Corp.’s Medscape website. CVS Health Corp. was found to be revealing email addresses of subscribers to its newsletters.

In a further case, the full name and details of an individual who completed a survey on the donation page of U.S. President Donald Trump’s website could be seen in a URL indexed by Google.

These examples were discovered by requesting results for terms such as “firstname,” “print,” or “@gmail.com” and restricting the queries to subdomains on company web addresses, such as “shop.companyname.com.” (To protect affected users, Bloomberg is not publishing the specific URLs it has seen to be exposing data.)

The vulnerability can be caused by a number of basic errors, one of which is that if a website lets a user share a transaction on social media -- such as to promote a charitable donation -- a search engine can see their post, and from there index the original web page, whether the user knows this or not. With no security protection in place, these pages are available to anyone.

A spokesman for CVS said "a very small number" of customer email addresses were visible this way “when some customers shared content from their ‘unsubscribe’ emails to online forums to support other users,” but that no other personal information was accessible.

Amy Lahey, chief information security officer at ALSAC, the fundraising and awareness organization for St. Jude Children’s Research Hospital, said that the data exposure was limited to two donation transaction records -- one dating back to 2015 and one back to 2017 -- and that additional security controls have now been put in place.

After being informed by Bloomberg prior to publication of this story, CVS and St. Jude’s said affected pages had now been removed or were in the process of removal. Representatives for WebMD and Pine Hills Golf Club have not responded to multiple requests for comment.

Another explanation is that when a website operator creates an index of pages on their server to give to Google -- known as a “site map” -- pages that should be only visible by a customer can be accidentally included.

A spokesman for Alphabet Inc.’s Google said the company provides documentation to help webmasters prevent this happening, and that it only serves information available on the public web.

While individually the data may be seen as harmless, in the hands of a cyber-criminal it could be used fraudulently, said Melson.

Here’s a hypothetical way that could play out: A rogue caller phones an individual and recites details of a recent donation, when it was made and to whom it was sent, while claiming the method of payment failed. The vulnerable victim could then be persuaded to repeat the donation, but this time to the criminal’s own account. Or that person could be tricked into revealing a password to reconfirm an order, inadvertently submitting all the combinations of their commonly-used passwords into an attacker’s database.

Targeted email attacks have played roles in a number of online breaches. At least three 2018 U.S. congressional candidates have been hit with phishing attacks that strongly resemble Russian sabotage two years ago, Microsoft Corp.’s Tom Burt, corporate vice president for customer security and trust, said in July. In 2016, the U.S. Department of Justice said a 28-year-old man from Illinois was charged for using phishing scams to access the online accounts of celebrities, from which he stole personal -- and often sexually explicit -- photographs and videos.

Michela Menting, digital security research director at ABI Research, said low-level accidental data leaks occur frequently, but that they can be “as big an issue as a mass data breach, simply because it happens on a much broader scale and on a continuous basis.”

“It’s a sort of death by a thousand cuts if you will, rather than one critical wound,” she said. “It’s these small cuts and leakages that companies tend to brush aside, because they can’t see the larger picture.”

However, identifying the scale of the problem is difficult, and the degree of severity varies greatly between websites. There’s also little consistency between the number of people whose data is being exposed, and the potential customer base of the website making it available.

Such low-level data leaks represent a type of basic error companies, large and small, have been making for years. In April, U.S. bakery chain Panera Bread said it had fixed an exploit on its website that could have left the personal information of as many as 7 million customers available to scammers.

In September, the U.K. Conservative Party conference’s official app allowed anyone to access and change details of attendees, including members of government. Members of the public were able to log in as a lawmaker by using their email address, giving them access to personal information such as private phone numbers. The app’s developer, CrowdComms, apologized for the flaw, which has since been fixed.

The widespread leak of data is emblematic “of a wider cultural problem business have towards data,” said Julian Saunders, chief executive officer of personal data governance service Port, in which too little care is given to the protection of information that’s not as obviously sensitive, such as credit card numbers and passwords.

He said such low-level leaks were why Europe’s GDPR legislation was required. The law mandates that companies have to take technical precautions such as encryption to ensure all client data is protected. It also states that firms must notify authorities about breaches within 72 hours of learning about them. Violations of GDPR rules may lead to fines of as much as 4 percent of a company’s global annual sales.

Melson said the affected websites Seer had identified as vulnerable were “largely” U.S.-based. “We’re finding significantly fewer U.K. companies,” he said, adding that it suggested GDPR rules were having a positive effect.

Bloomberg News
Data security Retailers
MORE FROM AMERICAN BANKER