Data Breach in the Pharmacy: What the Latest Leak Means for Your Business

Details on companies affected by the breach are not yet available.

What could be the largest data breach identified to date involves 4.5 billion username and password combinations from large industry leaders, small businesses, and even personal websites.

The breach’s wide reach has the potential to compromise pharmacy websites and user accounts, and pharmacists may need to take steps to check their site’s security.

According to Hold Security, the cybersecurity firm identifying the breach, those responsible used a combination of tactics to amass the data. The group’s tactics initially included purchasing databases with the information from other hackers, a press release from the company states. The group later switched their tactics, Hold Security reports. The group began using a botnet network—a group of malware infected computers controlled by a criminal group—to identify vulnerabilities in Structured Query Language (SQL), a programming language used for many database systems—including those that organize product or customer data for various websites. The hackers then used those vulnerabilities to steal identification credentials, including e-mail and password pairs, from the websites.

Hold Security has not yet revealed the affected companies, citing nondisclosure agreements, according to a New York Times article.

Although certain credentials might be repeated or invalid, the sheer number of username and password combinations represents a potential open door for systems and accounts.

“4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your email address and, let’s face it, almost everyone re-uses their passwords,” the release stated. “So, it’s not hard to see how some of us could have been victimized more than once.”

According to Brian Krebs, author of the cybersecurity blog Krebs on Security, an individual’s level of concern relates to whether that particular person uses the same log-on and password for multiple websites. His blog post on the breach notes that the particular type of attack tends to be used to send spam e-mails meant to spread malware or promote bogus products.

Hold Securities recommends checking whether websites are susceptible to SQL-injection attacks, and examining auxiliary sites for the vulnerabilities. For pharmacies that control their own websites, this may necessitate a call to the website designer or hosting service, or the technology team handling the business’s needs. Local independent contracting firms can also offer information security services, and pharmacists should look for firms with certified experts. Common certifications include Certified Software Lifecycle Professionals (CSSLP), and GIAC-Certified Web Application Defender (GWEB).

Krebs notes that 2-factor identification—requiring a log-in, password, and another identification method (eg, a PIN number, a security question, a code sent to one’s phone or special key fob)—can help mitigate the effects of these types of attacks. A list of websites, including banks, e-mail providers, and web hosting services, is available here. Meanwhile, Molly Wood of The New York Times offers further advice in a blog post for the publication’s Bits blog.