Pfizer: 17,000 Employees Suffer Privacy Breach
15 CommentsBy Ed Silverman // June 11th, 2007 // 7:20 am
You read it here first. The June 1 letter from Lisa Goldman in Pfizer’s privacy office has been arriving in mail boxes over the past few days, and the news for thousands of current and former employees isn’t good - there was an unauthorized breach of privacy data, including names and social security numbers. The drugmaker is offering a free year’s worth of credit monitoring. Here’s an excerpt:
“The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home. Due to the the unauthorized installation of certain file sharing software on the laptop, files stored in the laptop containing names, social security numbers, and in some instances, addresses and bonus information of approximately 17,000 present and former Pfizer colleagues, were exposed to one or more third parties. Our investigation revealed that certain files containing your data were accessed and copied.”
“Based on our investigation to date, we have no reason to believe that any oher personally identifiable information was exposed. Also, because the laptop was being used to access the internet outside the Pfizer network environment, there are no associated risks to any other data systems maintained by Pfizer. We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.”
There’s more than a little irony here. Last year, ceo Jeff Kindler was pictured in Pharmaceutical Executive magazine posing in Pfizer’s security bunker. Looks like it should have been fortified.
The drugmaker is suggesting employees call 866-274-3891 to arrange for the monitoring, which actually may be needed more than one year.
roccaas
Does this breach include any information about Parke-Davis or Pharmacia employees who never worked for Pfizer, but were offered positions when Pfizer made the buyout?
Be afraid, be very very afraid!
Jane
http://doj.nh.gov/consumer/pdf/Pfizer2.pdf
Pfizer claims that the spouse of an employee loaded the unauthorized file sharing software onto the laptop computer.
MSL Blogs » Blog Archive » Learn from Pfizer…
[...] from Pharmalot on the Pfizer security breach opens thousands of employees [...]
roccaas
Pfizer answered my question today! Yes, as an employee of a company bought by Pfizer my information (including SSN) could be part of the data that “got out”.
news.osn.ro
Pfizer: Datele pesonale a 17.000 angajati compromise…
Un angajat al Pfizer Inc. a expus date personale ale angajatilor companinei prin instalarea neautorizata unei aplicatii P2P (file-sharing) pe sistemul portabil oferit de companie.
Datele a aproximativ 15.700 de personane au fost accesate si copiate pri…
Former_PNU_Geek
Although I’m sure some improvements have been made, expect it to happen again. — I’ve spent years working for IT in and around its largest manufacturing base (in the US) and I’ve seen many areas where it’s needed to improve on data security.
I wonder Dorothy Jeter (mother to Derek Jeter) had her info in that mix.. - That alone would probably do well to rack up the sale rate on this batch of stolen data.
jcr
So, why would a company allow employees to log into laptops/desktops with sufficient authority/credentials to install software (which could/would include mailware as well, BTW)? Why would a company not have hard drive encryption deployed on all laptops as a standard? Sounds like change management practices are lacking, not just data security!
me
Once the laptop is logged into, with or w/out encryption s/w, the data is available. Encryption is primarily for unauthorized access such as when the laptop/workstation is lost or stolen to prevent access.
The other comment is correct - why are employees allowed Administrative Access to install whatever they want? Pfizer should fire the IT Executive who allowed this.
Craig Herberg
This problem is probably much more widespread than most people think. Employees have far too much confidential data on laptop computers. Regardless how tightly controlled internal systems are maintained by proactive IT units, compromised remote computers accessing any internal systems — such as email — can compromise the entire enterprise, including its employees and clients. Unfortunately, keyloggers and remote access trojans are commonplace on computers in the field. Organizations that allow employees to possess or access confidential or proprietary data need to have policies and practices to reduce the risk of breach. These P & Ps must include remote computers, including those not owned by the company.
Jordan
What can we do as individuals or corporations to keep personal information safe? We need to come up with some kind of solution or we may all become a victim some day. In our recent post we ask if anybody is truely safe from a data breach.
http://www.ecorablog.com/the_compliance_and_securi/2007/06/is_it_inevitabl.html
Jack E. Dunning
I would like to know what consumer personal medical data Pfizer has and from what sources they collected it. Especially after the recent breach, and the fact a laptop computer with employee sensitive data “…was provided to a Pfizer colleague for use in her home.” This is nuts! Not too long ago I was involved in a lawsuit by Privacy Rights Clearinghouse against Albertson’s/OSCO for selling my prescription information to drug companies. If the pharmaceutical industry is manipulating our private information for profit, the individual should at least have control, and be compensated when it is sold. You can read more in my blog, “The Dunning Letter” at: http://thedunningletter.blogspot.com/search?q=hipaa
Jack E. Dunning
Cave Creek, AZ
Jim Kerr
If they had our vault on the laptop this would not have occured. We have a product that safeguards sensitive information on any portable device. A fingerprint is required to access the data so even if the laptop was stolen the chances of getting at the data would be 7 to the tenth power.
Trustedtoolkit
Jim Kerr said:
“If they had our vault on the laptop this would not have occured. We have a product that safeguards sensitive information on any portable device. A fingerprint is required to access the data so even if the laptop was stolen the chances of getting at the data would be 7 to the tenth power.”
Tell me how your “Vault” encryption solution would protect against the unauthorized transfer of data via a P2P application?
Lamparita
Did anyone receive a second letter dated September 19 with updated information?
On Pharma
[...] Pharmalot reported that the personal data of 17,000 Pfizer employees (including social security numbers) was exposed, [...]