Walgreens Discloses Data Breach Related to its Mobile App
Walgreens announced on Friday that it inadvertently exposed personal messages stored on its messaging app due to an internal error. On Jan. 15, officials said they first discovered an error in Walgreens’ personal secure messaging features and launched an investigation. They found a data compromise, which allowed personal messages stored on its database to be viewable by other customers. Upon discovery, Walgreens temporarily disabled message viewing to prevent continued exposure and “implemented a technical correction that resolved the issue.” The investigation revealed that some health-related information was breached for a small percentage of its customers between Jan. 9 and Jan. 15, 2020. The exposed data included customer names, prescription numbers and drug names, store numbers, and shipping addresses, where applicable. Financial data, bank account information, and Social Security numbers were not compromised during the incident.
Total Retail's Take: With data breaches seemingly becoming a daily occurrence, retailers need to have a plan in place to not only safeguard their customer data at all costs, but also a strategy for how to take action when a breach does happen. Casey Ellis, founder and chief technology officer at Bugcrowd, a crowdsourced cybersecurity platform, provided the following comment to Total Retail regarding the Walgreens breach: "Fortunately for consumers, the short exposure window of the vulnerability and the specific conditions required should keep the impact of this flaw to a minimum. Consumers shouldn’t be too concerned that their personal data got into the wrong hands as a result of this incident. Regardless, given the medically sensitive nature of the app and the messages likely to be sent through it, this is a good reminder to “build it like it’s broken” and ensure that software is continuously tested for vulnerabilities that compromise consumer privacy. This is where the ethical hacking community comes in: they apply the same type of hacking creativity as an adversary, but help companies ensure the security of their software and hardware."