[ISN] Conn. AG Investigating Former Employee Link To Pfizer Data Breach

From: InfoSec News (alerts@private)
Date: Wed Sep 26 2007 - 23:03:09 PDT


By Sharon Gaudin
September 26, 2007 

The Connecticut Attorney General is investigating a former Pfizer 
employee in connection with a data breach that compromised personally 
identifying employee information.

Bernard Nash, an attorney for the world's largest drug maker, said in a 
letter to the Attorney General that another company sent a package to 
Pfizer on July 6 that contained a DVD with Pfizer data on it. The 
information had been found on a computer that the company, which went 
unnamed in the letter, had assigned to a worker who had formerly been 
employed at Pfizer, according to Nash's Sept. 21 letter.

After reviewing the information, Pfizer "became aware" that personal 
information from the Pfizer network was on the DVD, Nash wrote. The 
company notified a federal prosecutor on Aug. 17 "to explain Pfizer's 
investigatory efforts, discuss the possibility of prosecution of the 
responsible individual, and receive input on the most productive use of 
Pfizer's investigative resources."

A source close to the investigation told InformationWeek that the AG's 
office is investigating the matter.

Nash's letter noted that the company's network was not breached. "The 
individual who accessed the data in Pfizer's computer system was, at the 
time of the access, authorized to do so," he wrote. "The wrongful 
removal of the data from Pfizer was a violation of Pfizer policy, but no 
breach of the computer security system occurred."

It was not noted why the person stopped working at Pfizer or where the 
individual began working next.

Nash reported that the incident compromised employee information, 
including name, Social Security number, address, cell and home phone 
numbers, credit card numbers, bank account numbers, driver's license 
numbers, birth dates, and even signatures.

In mid-August, Pfizer alerted Connecticut Attorney General Richard 
Blumenthal of the May theft of two company laptops containing personal 
information of 950 people. It was the second time in two months that a 
security breach at Pfizer has put the personally identifying information 
on current and former employees at risk. The earlier security breach 
exposed information on 17,000 people.

It is not yet clear if Nash's letter about the former employee relates 
to either of these two breaches or to another breach.

Pfizer could not be reached for comment.

The news comes within a week of online brokerage TD Ameritrade Holding 
Corp. announcing that a hacker broke into one of its databases and stole 
personally identifying information on its 6.3 million customers.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Wed Sep 26 2007 - 23:15:07 PDT