By Sharon Gaudin
September 26, 2007
The Connecticut Attorney General is investigating a former Pfizer
employee in connection with a data breach that compromised personally
identifying employee information.
Bernard Nash, an attorney for the world's largest drug maker, said in a
letter to the Attorney General that another company sent a package to
Pfizer on July 6 that contained a DVD with Pfizer data on it. The
information had been found on a computer that the company, which went
unnamed in the letter, had assigned to a worker who had formerly been
employed at Pfizer, according to Nash's Sept. 21 letter.
After reviewing the information, Pfizer "became aware" that personal
information from the Pfizer network was on the DVD, Nash wrote. The
company notified a federal prosecutor on Aug. 17 "to explain Pfizer's
investigatory efforts, discuss the possibility of prosecution of the
responsible individual, and receive input on the most productive use of
Pfizer's investigative resources."
A source close to the investigation told InformationWeek that the AG's
office is investigating the matter.
Nash's letter noted that the company's network was not breached. "The
individual who accessed the data in Pfizer's computer system was, at the
time of the access, authorized to do so," he wrote. "The wrongful
removal of the data from Pfizer was a violation of Pfizer policy, but no
breach of the computer security system occurred."
It was not noted why the person stopped working at Pfizer or where the
individual began working next.
Nash reported that the incident compromised employee information,
including name, Social Security number, address, cell and home phone
numbers, credit card numbers, bank account numbers, driver's license
numbers, birth dates, and even signatures.
In mid-August, Pfizer alerted Connecticut Attorney General Richard
Blumenthal of the May theft of two company laptops containing personal
information of 950 people. It was the second time in two months that a
security breach at Pfizer has put the personally identifying information
on current and former employees at risk. The earlier security breach
exposed information on 17,000 people.
It is not yet clear if Nash's letter about the former employee relates
to either of these two breaches or to another breach.
Pfizer could not be reached for comment.
The news comes within a week of online brokerage TD Ameritrade Holding
Corp. announcing that a hacker broke into one of its databases and stole
personally identifying information on its 6.3 million customers.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com