[ISN] Personal data on 17,000 Pfizer employees exposed; P2P app blamed

From: InfoSec News (alerts@private)
Date: Tue Jun 12 2007 - 23:02:26 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9024491

By Jaikumar Vijayan
June 12, 2007 
Computerworld

A Pfizer Inc. employee who installed unauthorized file-sharing software 
on a company laptop provided for use at her home has exposed the Social 
Security numbers and other personal data belonging to about 17,000 
current and former employees at the drug maker.

Of that group, about 15,700 individuals actually had their data accessed 
and copied by an unknown number of persons on a peer-to-peer network, 
the company said in letters sent to affected employees and to state 
attorneys general alerting them of the breach.

Pfizer officials could not be immediately reached for comment. But 
copies of the letters were posted on several sites, including Pharmalot 
[1], a blog covering the pharmaceutical industry.

The incident has prompted an investigation by Connecticut Attorney 
General Richard Blumenthal; some 305 Pfizer employees in that state were 
affected by the breach. In a June 6 letter (download PDF), Blumenthal 
asked Pfizer to provide details on the measures in place prior to the 
breach to protect against data compromises, as well as information about 
when the company discovered the breach and how it responded.

Blumenthal's letter also asked Pfizer to describe how it was able to 
make a distinction between the data that was actually compromised and 
data that might only potentially have been accessed. Blumenthal's letter 
gave Pfizer until June 22 to respond.

According to Pfizer's description of the incident in its letter to 
employees, the compromise stemmed from the use of unauthorized 
file-sharing software on an employee's laptop.

The June 1 letter signed by Pfizer general counsel Lisa Goldman did not 
mention how the company discovered the breach. But she said that as soon 
as the company did become aware of the breach, it recovered the laptop 
from the employee and the file-sharing software was disabled. Because 
the system was being used to access the Internet from outside of 
Pfizer's own network, no other data was compromised. Goldman also 
apologized to the affected individuals for the inconvenience.

Pfizer has contracted for a "support and protection" package with credit 
reporting agency Experian for all affected individuals, Goldman said. 
The packages include a year's worth of free credit monitoring service 
and a $25,000 insurance policy covering costs that individuals might 
incur as a result of the breach, Goldman noted.

Such incidents highlight the importance of implementing controls for 
preventing either accidental or deliberate data leaks via file-sharing 
tools or applications such as instant messaging systems, said Devin 
Redmond, director of the security products group at security vendor 
Websense Inc. Such controls should include measures such as content 
filtering at network gateways, strong controls on access to sensitive 
data and prevention of access to file-sharing applications, he said.

News of the Pfizer breach coincides with the release of a study by 
Dartmouth University's Tuck School of Business that looked into the 
dangers posed by file-sharing applications [3]. The study examined data 
involving P2P searches and files related to the top 30 U.S. banks over a 
seven-week period between December 2006 and February 2007. A 
surprisingly high number of people sharing music and other files on 
peer-to-peer systems are inadvertently exposing all sorts of bank 
account data and similar personal information on their computers to 
criminals lurking on the networks to harvest data, according to the 
report.

[1] http://pharmalot.com/
[2] http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf
[3] http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=16&articleId=9024406


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 12 2007 - 23:21:39 PDT