Any online privacy and data security advocate could have – and probably has – told you this a while back: the rushed “ecosystem” building up around COVID certificates, testing, tracking, passes, and other similar personal-information collecting tools is set up to eventually fail.
Reports attesting to this cropping up around the world, and a new one from the US concerns the country’s massive pharmacy chain, Walgreens. According to reports, Walgreens had decided to make itself a “vital partner in testing” before making sure that it had the technological backend secure and reliable enough to qualify for such a role.
Now people who got their coronavirus test done at one of these pharmacies are learning that their personal data – that can also offer insight into the result of the test – is stored on Walgreens’ site riddled with security vulnerabilities.
The number of those affected goes into millions of people, while the data that is left exposed on the internet, not least to a number of ad trackers on the site itself, includes their name, phone number, physical and email addresses, date of birth and gender.
And while Walgreens was and still is making money off performing those tests – the funds come from the government and insurance firms – security experts say that the vulnerabilities on the site are common and that “basic errors” have been made in implementing security solutions – meaning that the pharmacy giant has no real excuse for allowing them to live on its internet infrastructure.
The revelation is not new, either – it dates back to March and was discovered by Interstitial Technology PBC consultant Alejandro Ruiz, Recode is reporting. The website also refers to two other security companies that have arrived at the same conclusion regarding Walgreens’ lax security practices.
Ruiz’s initial attempts to inform Walgreens about his findings were ignored by the company, while Recode got a boilerplate response saying that the pharmacy chain “regularly reviews and incorporates additional security enhancements when deemed either necessary or appropriate.”
Apparently, a potential massive personal data leak does not fall into the category of what’s “necessary or appropriate” to deal with. And so Recode decided to publish the story, having given Walgreens a heads-up, hoping the company would use the time to fix the issues – something that is yet to happen.