By Jaikumar Vijayan
June 12, 2007
A Pfizer Inc. employee who installed unauthorized file-sharing software
on a company laptop provided for use at her home has exposed the Social
Security numbers and other personal data belonging to about 17,000
current and former employees at the drug maker.
Of that group, about 15,700 individuals actually had their data accessed
and copied by an unknown number of persons on a peer-to-peer network,
the company said in letters sent to affected employees and to state
attorneys general alerting them of the breach.
Pfizer officials could not be immediately reached for comment. But
copies of the letters were posted on several sites, including Pharmalot
, a blog covering the pharmaceutical industry.
The incident has prompted an investigation by Connecticut Attorney
General Richard Blumenthal; some 305 Pfizer employees in that state were
affected by the breach. In a June 6 letter (download PDF), Blumenthal
asked Pfizer to provide details on the measures in place prior to the
breach to protect against data compromises, as well as information about
when the company discovered the breach and how it responded.
Blumenthal's letter also asked Pfizer to describe how it was able to
make a distinction between the data that was actually compromised and
data that might only potentially have been accessed. Blumenthal's letter
gave Pfizer until June 22 to respond.
According to Pfizer's description of the incident in its letter to
employees, the compromise stemmed from the use of unauthorized
file-sharing software on an employee's laptop.
The June 1 letter signed by Pfizer general counsel Lisa Goldman did not
mention how the company discovered the breach. But she said that as soon
as the company did become aware of the breach, it recovered the laptop
from the employee and the file-sharing software was disabled. Because
the system was being used to access the Internet from outside of
Pfizer's own network, no other data was compromised. Goldman also
apologized to the affected individuals for the inconvenience.
Pfizer has contracted for a "support and protection" package with credit
reporting agency Experian for all affected individuals, Goldman said.
The packages include a year's worth of free credit monitoring service
and a $25,000 insurance policy covering costs that individuals might
incur as a result of the breach, Goldman noted.
Such incidents highlight the importance of implementing controls for
preventing either accidental or deliberate data leaks via file-sharing
tools or applications such as instant messaging systems, said Devin
Redmond, director of the security products group at security vendor
Websense Inc. Such controls should include measures such as content
filtering at network gateways, strong controls on access to sensitive
data and prevention of access to file-sharing applications, he said.
News of the Pfizer breach coincides with the release of a study by
Dartmouth University's Tuck School of Business that looked into the
dangers posed by file-sharing applications . The study examined data
involving P2P searches and files related to the top 30 U.S. banks over a
seven-week period between December 2006 and February 2007. A
surprisingly high number of people sharing music and other files on
peer-to-peer systems are inadvertently exposing all sorts of bank
account data and similar personal information on their computers to
criminals lurking on the networks to harvest data, according to the
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com