Pfizer: Strike Three

Pharmaceutical giant reports third security breach in as many months, leaves employees crying foul

If you're the chief privacy officer at Pfizer, good things most definitely do not happen in threes.

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company.

In late June, Pfizer reported the loss of about 17,000 employees' personal information, which was exposed via P2P file sharing. Less than three weeks ago, two laptops containing data on 950 employees were stolen out of a consultant's car in Boston. (See Pfizer Falls Victim to P2P Hack and Pfizer Reports Second Data Breach in Two Months.)

A Pfizer spokesman called the breaches "three separate and distinct incidences" that bear no relationship to each other.

While the first two incidents were apparently accidental, last week's report suggests theft by an insider. "The breach developed when a Pfizer employee wrongfully removed copies of confidential information from a Pfizer computer system late last year," the report to the state of New Hampshire says. "This was done without Pfizer's knowledge or consent, in violation of Pfizer policy."

The individual who took the data no longer works at the company, according to Pfizer's report. The pharmaceutical firm did not become aware that the data had been taken until July 10.

The lost data includes the names and Social Security numbers of all of the 34,000 individuals whose data was exposed, according to the report. Some of the personal data also included home addresses, phone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, birth dates, signatures, and reason for termination.

Pfizer says it has seen no indication that there has been any unauthorized use of the data. However, the company is still analyzing "a substantial amount of data," and it has notified the employees and former employees involved and provided them with free credit protection services. Law enforcement agencies also have been notified, the company said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Sophos plc
  • Editors' Choice
    Jai Vijayan, Contributing Writer, Dark Reading
    Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading