Walgreens, the second-largest pharmacy store chain in the United States behind CVS Health, announced that its mobile app leaked users' personal data. 

Walgreens says their investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app. Once they learned of the incident, "Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue."

Their investigation determined that certain messages containing limited health-related information were involved in the incident for a small percentage of impacted customers. Health-related information may have been viewed by another customer on the Walgreens mobile app between January 9, 2020 and January 15, 2020, says Walgreens.

First and last name, prescription number and drug name, store number and shipping address where applicable may also have been viewed by other customers, says the company. Walgreens claims that no financial information such as Social Security number or bank account information was involved in the incident.  

Jack Mannino, CEO at nVisium, tells Security Magazine that, “While the language suggests that this was due to a system error rather than an attack against the application’s authorization, it highlights the importance of rigorously testing software. Mobile applications and APIs have a lot of interfaces, where we need to understand how our systems behave when they fail, whether it’s through intentional attacks or inadvertent errors with unintended consequences.”

Fausto Oliveira, Principal Security Architect at Acceptto, notes that the incident looks like a typical example of lack of proper testing. "If the error conditions in the app had been properly tested, this type of issue should have been caught by the QA department and never seen in production," he says. "It is unfortunate that often in the rush to go to market, shortcuts are taken and due diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn't this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user."

"That said, the fact that prescriptions were leaked is worrying since it discloses health conditions that may be used for nefarious purposes such as blackmailing, making employers aware of conditions that an individual may not want to reveal or for social harassment purposes (amongst others)," he adds. "I think the offer from Walgreens to place the customers in several credit card monitoring companies, is ineffective and does not help at all to address the concerns above. If the information has been leaked it is out there and credit card monitoring companies cannot do anything to prevent the information from spreading. This is a situation where preventing this type of events from happening in the first place is the only cure."

Terence Jackson, Chief Information Security Officer at Thycotic, however, commends Walgreens for detecting the vulnerability in their mobile app and closing the gap in relative short order. "It appears that they have invested well in detective capabilities. Incidents will happen and how a company detects and responds to an incident along with the level of transparency that is used can go a long way in repairing lost customer trust."