America's second-largest pharmacy store chain has disclosed an app error that let customers view the private personal messages of other customers.
For nearly a week last month, users of the Walgreens mobile app were able to view the first and last names and shipping addresses of other customers together with their prescription numbers, the names of the drugs they had been prescribed, and the store number of the branch fulfilling their order.
Walgreens filed a data breach report with the California Department of Justice on Friday, February 28, including a sample of the breach notification letter the company sent out to affected customers.
In the letter, the company explains: "We recently learned of unauthorized disclosure of one or more of your secure messages within the Walgreens mobile app."
The company goes on to state that from January 9, 2020, to January 15, 2020, personal messages from Walgreens that were stored in a database were viewable by other customers using the Walgreens mobile app.
According to the chain, the breach was due to an internal error in the Walgreens mobile app personal secure messaging feature.
Walgreens said that swift action was taken once the breach came to light but gave no information regarding how the exposure was discovered.
The pharmacy chain said that only a small percentage of its customer base was affected by the cybersecurity incident and that no financial data or Social Security numbers were exposed.
The store then promised to carry out additional testing of the app in the future to make sure changes won't compromise the privacy of customer data.
Fausto Oliveira, principal security architect at Acceptto, believes a lack of testing and poor design were to blame for the error that caused the breach.
"If the error conditions in the app had been properly tested, this type of issue should have been caught by the QA department and never [been] seen in production. It is unfortunate that often in the rush to go to market, shortcuts are taken, and due diligence testing is skipped in favor of meeting a release date," he commented.
"A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user."