Vox said the issues stem at least as far back as July 2020 but could potentially trace back to April 2020. Anyone signing up for a test with the pharmacy as of Wednesday will be similarly exposed.
Test Data Exposed
Vox’s Recode published an alarming report Monday that accuses Walgreens of exposing and failing to protect the personal data of millions who signed up for COVID-19 tests through its “sloppy” registration system.
That exposed data reportedly includes people’s name, birthday, gender identity, phone number, address, email information, and in some cases, even their test results. All of this “was left on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens’ site to collect,” Recode reporter Sara Morrison said in the article, published Monday.
According to Morrison, the exposed data potentially stretches as far back as April 2020, which is when Walgreens first began offering COVID-19 tests, but it definitively traces back at least to July 2020 given Recode’s findings.
The Issue Involves Test Confirmation Links
Security experts cited by Morrison said the vulnerabilities are basic issues that Walgreens, one of the largest pharmacy chains in the country, should have known how to prevent.
Essentially, anyone with a link to an appointment confirmation can view the full confirmation. There’s no need to log in or authenticate your identity any other way.
To make the situation even easier for bad actors, the links used to confirm appointments are exactly the same minus a unique patient ID contained in what’s called a “query string.” With millions of tests confirmed, it’s not hard for a hacker or a bot to start finding active pages, though a Morrison noted, it would be “close to impossible” to find a specific person through this method.
Still, it’s not totally impossible to find a specific person. If a patient views their confirmation link on a shared computer, such as one at work or a public library, anyone with the ability to check that computer’s browser history can click on the link and reap the person’s information.
“Security by obscurity is an awful model for health records,” Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.
Walgreens Has Not Fixed the Issue
Even after one tech consultant discovered the issue in March and pointed it out to Walgreens multiple times, the company seemingly did nothing, according to Morrison.
From there, Recode said it informed Walgreens of the findings again and even gave it “time to fix the vulnerabilities before publishing” its piece, but once again, the company failed to do anything.
As of right now, anyone scheduling a COVID test with Walgreens appears to be at the same level of risk as those who previously registered. Not only is that a concerning privacy issue, but it could also discourage many from getting tested.
In statements to several outlets, Walgreens has not directly addressed the security concerns. For example, it only told Fox Business that it “routinely evaluate[s] our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients.”
For those seeking COVID tests and potentially discouraged by this news, it is important to remember that Walgreens isn’t the only pharmacy chain offering free tests. Cities and counties across the country are also continuing to offer free testing sites amid a spike in cases caused by the Delta variant.
See what others are saying: (Recode) (Fox Business) (Reuters)
“Cyberpunk 2077” Developer Agrees To Settle Lawsuit for $1.85M
If approved, CD Projekt Red would pay just a small fraction of the $316 million it reportedly spent developing the game.
CDPR Agrees To Settle
Game developer CD Projekt Red (CDPR) has agreed to settle a class-action lawsuit related to its buggy launch of “Cyberpunk 2077” for $1.85 million, The Verge reported Thursday.
The lawsuit itself is actually a conglomeration of four different suits brought by shareholders who alleged that they were misled about the company’s financial performance. Since the game’s release, CD Projekt Red’s share price has fallen 54%.
The settlement must now be approved in court, but overall, it appears to be a small amount compared to the game’s $316 million budget. In fact, the game reportedly made $563 million in sales and only spent around $2.2 million on a refund campaign, though the developer’s overall refund cost for 2020 could have been as much as $51 million.
“Perhaps the plaintiffs didn’t have much of a case?” The Verge writer Sean Hollister speculated on why “it sounds like the lead plaintiffs and their lawyers negotiated for a fairly tiny sum here in exchange for ‘relinquish[ing] any and all claims against the Company and members of its Management Board.’”
“As expressly stated in the Term Sheet, execution of the Term Sheet does not imply admission of any responsibility on the part of the Company or any of the other defendants named in the case,” the negotiated settlement reads.
“Cyberpunk’s” Botched Launch
“Cyberpunk” was first announced in 2012, and for years, it was the subject of widespread fan anticipation. Seven years later, a release date of April 16, 2020, was given; however, that date was pushed back several times much to the ire of fans, some of whom even sent CDPR staff death threats.
The game was ultimately released amid fan pressure on Dec. 10, 2020, but it was so riddled with glitches that Sony infamously pulled “Cyberpunk” from its Playstation Store a week later, offering full refunds to all players who had purchased a digital copy. In June this year, “Cyberpunk” finally made its way back onto the Playstation Store following multiple patches and hotfixes from CDPR.
Despite “Cyberpunk” surpassing a massive 8 million pre-orders before launch, Bloomberg reported last week that “Where analysts had originally expected Cyberpunk sales of 30 million units in the year after the game’s release, they now expect 17.3 million copies to have been sold in that time.”
In October, CDPR delayed planned next-gen updates for both “Cyberpunk” and “The Witcher 3” until the first and second quarters of 2022, respectively.
“Apologies for the extended wait, but we want to make it right,” the developer said.
See what others are saying: (The Verge) (Engadget) (Video Games Chronicle)
E.U. Court Rules That All Member Nations Must Recognize Same-Sex Parents
The decision comes after a child named Sara was left without a country to call home because she had two mothers.
The Child With No Citizenship
The European Court of Justice, the European Union’s highest court, ruled Tuesday that all 27 of its member states must recognize same-sex parents and their children as a family.
The ruling stems from a case involving two women and their newborn daughter, whose status as a family originally varied between member nations. As a result, the couple’s daughter was left without citizenship in any country.
The two women, Bulgarian citizen Kalina Ivanova and Gibraltar-born British citizen Jane Jones, found themselves unable to take their newborn child Sara out of Spain after she was born in the country. Because Spain recognizes same-sex marriage, both Ivanova and Jones were registered as the girl’s legal mothers on her Spanish birth certificate.
However, under Spanish law, Sara was unable to gain citizenship in the country since neither of her parents were Spanish citizens. On top of that, she was denied British citizenship because Jones “was born in Gibraltar of British descent, and under the British Nationality Act (1981), [Jones] cannot transfer citizenship to her daughter,” the LGBTQ+ advocacy group ILGA-Europe said in a press release.
That left the couple with one other option: register Sara as a Bulgarian citizen. Still, the Bulgarian government refused to issue Sara a legally-recognized birth certificate, arguing that she is ineligible to have two mothers. Officially, Bulgaria does not recognize either same-sex marriages or same-sex registered partnerships.
“Currently, the child has no personal documents and cannot leave Spain, the country of the family’s habitual residence,” lLGA-Europe said. “The lack of documents restrict Sara’s access to education, healthcare, and social security in Spain.”
In its Tuesday decision, the European Court of Justice ruled that children in the EU have a legal right to freely move between countries given that such a right is afforded to all EU citizens. Because of this, all countries are now required to uniformly recognize the child’s parents, even if they are of the same sex.
“That refusal could make it more difficult for a Bulgarian identity document to be issued and, therefore, hinder the child’s exercise of the right of free movement and thus full enjoyment of her rights as a Union citizen,” the court said.
Despite some member states like Bulgaria not legally recognizing same-sex couples, the court stressed that its ruling “does not undermine the national identity or pose a threat to the public policy” of those nations.
That’s because while Bulgaria doesn’t have to issue its own birth certificate for Sara, it does have to recognize the Spanish birth certificate and issue its own identity card or passport for Sara.
“We are thrilled about the decision and cannot wait to get Sara her documentation and finally be able to see our families after more than two years,” Sara’s parents said according to the ILGA-Europe release. “It is important for us to be a family, not only in Spain but in any country in Europe and finally it might happen. This is a long-awaited step ahead for us but also a huge step for all LGBT families in Bulgaria and Europe.”
GoFundMe Campaign Raises $8,700 for Waitress Who Was Fired After Not Sharing $4,400 Tip With Co-Workers
The waitress said this was the only time management had ever tried to force her to pool a tip in her three-and-a-half years working at the restaurant.
Waitress Gets Fired After Receiving Massive Tip
An Arkansas waitress has received over $8,700 in donations online after she was fired from her job for refusing to split her half of a $4,400 dollar tip with the rest of the restaurant’s crew.
That waitress, Ryan Brandt, told local Nexstar outlet KNWA last week that she and another server received the tip after waiting on a group of more than 40 people at the Oven & Tap restaurant in Bentonville.
“It was an incredible thing to do and to see her reaction was awesome, to see what that meant to her, the impact that it’s had on her life already,” Grant Wise, who was part of the party Brandt served, told the outlet.
According to KNWA, Wise called the restaurant before his large party arrived and asked about its tipping policy since they intentionally planned to donate $100 each as part of a way to thank restaurant workers. At the time of his call, Wise said he was told the money would go directly to his party’s servers.
“We knew servers were really hit hard through COVID, and it was something that we had come up with to help give back,” Wise told KFSM.
The outcome, however, was much different. After receiving the tip, Brandt and the other server were allegedly told by a manager that they needed to pool the tip with the rest of the workers on duty. Brandt told KNWA she had never once been asked to pool her tips in her three-and-a-half years at the restaurant prior to this.
Complying meant Brant would take home just 20% of her half of the tip.
At some point before leaving, Brandt informed Wise that her tip would be pooled with the rest of the staff. Wise, who had intended the money to only go to his servers, then asked management to return his tip, which he gave to Brandt directly outside the restaurant. The following day, Brandt said she was fired over the phone.
“It was devastating,” Brandt told local outlets. “I borrowed a significant amount for student loans. Most of them were turned off because of the pandemic but they’re turning back on in January and that’s a harsh reality.”
Oven & Tap did not speak on Brandt’s firing in its initial statement. Instead, it only said, “After dining, this large group of guests requested that their gratuity be given to two particular servers. We fully honored their request. Out of respect for our highly valued team members, we do not discuss the details surrounding the termination of an employee.”
In a follow-up statement, Oven & Tap owners Mollie Mullis and Luke Wetzel said, “The server who was terminated several days after the group dined with us was not let go because she chose to keep the tip money.”
“We recognize and regret that a recent incident in our restaurant could have been handled differently by reminding our team how we would be splitting any tips prior to the event, however, our policy has always been to participate in a tip pool/share with the staff. Tip sharing is a common restaurant industry practice that we follow to ensure all of our team members are adequately compensated for their hard work.”
Oven & Tap has still not specifically commented on why it fired Brandt, but Brandt told KNWA she believes it’s because she violated company policy by telling Wise that his party’s tip was going to be pooled.
Online Fundraising Campaigns for Brandt
After learning of Brandt’s firing, Wise created a GoFundMe, which ultimately raised $8,732 for Brandt.
“[Brandt] is, from what I can tell, a very kind woman that was working two jobs to get by through the pandemic,” he said in his initial post. “She has incredible aspirations to grow her own business and I can tell has a servants-heart.”
Wise provided an update Tuesday saying that instead of closing the GoFundMe, he will keep the campaign open to raise additional money to “pay it forward” to a future group of restaurant staff who will wait on his party.
“In January, we are going to host another $100 Dinner Club and I have invited [Brandt] to be our ‘Guest of Honor’!” he said. “Any dollar amount raised over the $8,732 that has already been raised and is being paid out to [Brandt] will be given directly to the staff of the restaurant we decide to eat at.”
“We will be working to ensure through this that all staff in the restaurant are tipped so everyone feels blessed by our dinner.”
As of Tuesday morning, the GoFundMe page has raised over $9,100.