Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Pfizer: Strike Three

Pharmaceutical giant reports third security breach in as many months, leaves employees crying foul

If you're the chief privacy officer at Pfizer, good things most definitely do not happen in threes.

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company.

In late June, Pfizer reported the loss of about 17,000 employees' personal information, which was exposed via P2P file sharing. Less than three weeks ago, two laptops containing data on 950 employees were stolen out of a consultant's car in Boston. (See Pfizer Falls Victim to P2P Hack and Pfizer Reports Second Data Breach in Two Months.)

A Pfizer spokesman called the breaches "three separate and distinct incidences" that bear no relationship to each other.

While the first two incidents were apparently accidental, last week's report suggests theft by an insider. "The breach developed when a Pfizer employee wrongfully removed copies of confidential information from a Pfizer computer system late last year," the report to the state of New Hampshire says. "This was done without Pfizer's knowledge or consent, in violation of Pfizer policy."

The individual who took the data no longer works at the company, according to Pfizer's report. The pharmaceutical firm did not become aware that the data had been taken until July 10.

The lost data includes the names and Social Security numbers of all of the 34,000 individuals whose data was exposed, according to the report. Some of the personal data also included home addresses, phone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, birth dates, signatures, and reason for termination.

Pfizer says it has seen no indication that there has been any unauthorized use of the data. However, the company is still analyzing "a substantial amount of data," and it has notified the employees and former employees involved and provided them with free credit protection services. Law enforcement agencies also have been notified, the company said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Sophos plc

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Midess
    50%
    50%
    Midess,
    User Rank: Apprentice
    5/21/2019 | 5:06:58 PM
    What a great article!
    wow, you have helped me alot this is really awesome. I am working for https://ifreegiveaways.net/ and i will try to implement all this.
    Florida Town Pays $600K to Ransomware Operators
    Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
    Pledges to Not Pay Ransomware Hit Reality
    Robert Lemos, Contributing Writer,  6/21/2019
    AWS CISO Talks Risk Reduction, Development, Recruitment
    Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-10133
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
    CVE-2019-10134
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
    CVE-2019-10154
    PUBLISHED: 2019-06-26
    A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
    CVE-2019-9039
    PUBLISHED: 2019-06-26
    The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
    CVE-2018-20846
    PUBLISHED: 2019-06-26
    Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).