The purported breach was discovered by tech consultant Alejandro Ruiz in March after one of his family members registered for a test through the site, Vox’s Recode reported Monday. Ruiz said that Walgreens was unresponsive when he brought the issue to the company’s attention via phone, email and its own online security form, and that the problem has still not been fixed despite Recode giving the company time to address the issue before publishing.
According to the outlet, a slew of information on any of the millions of Americans who have registered with Walgreens for testing can be viewed on an individual’s assigned URL by anyone who has access to a customer’s browsing history, such as an employer with access to the customer’s computer. It’s also possible that the sensitive information – which includes the date of birth, mailing address and email address of users – could be accessed by a “determined hacker” trying to use bots to guess the specific URL for a user’s registration page.
Recode reported, “But, given how many characters are in the IDs and therefore how many combinations there are, [experts] said it’d be close to impossible to find just one active page this way — even with the millions of them out there.”
Walgreens pointed to that line when reached by FOX Business for reaction to the article, while Recode noted, “of course, close to impossible is not the same as impossible.”
“Protecting personal information of our customers and patients is a top priority,” Walgreens said in its official statement to FOX Business. “They trust us with their health and wellness needs, and we take that responsibility seriously. That includes making sure their data is safe and secure.”
Walgreens added, “We routinely evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients and we regularly review and incorporate additional security enhancements when necessary.”