Perspective from our Fausto Oliveira, principal security architect
Fausto Oliveira, Principal Security Architect at Acceptto, notes that the incident looks like a typical example of lack of proper testing. "If the error conditions in the app had been properly tested, this type of issue should have been caught by the QA department and never seen in production," he says. "It is unfortunate that often in the rush to go to market, shortcuts are taken and due diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn't this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user."
"That said, the fact that prescriptions were leaked is worrying since it discloses health conditions that may be used for nefarious purposes such as blackmailing, making employers aware of conditions that an individual may not want to reveal or for social harassment purposes (amongst others)," he adds. "I think the offer from Walgreens to place the customers in several credit card monitoring companies, is ineffective and does not help at all to address the concerns above. If the information has been leaked it is out there and credit card monitoring companies cannot do anything to prevent the information from spreading. This is a situation where preventing this type of events from happening in the first place is the only cure."
Read the full article at threatpost website.