[ISN] Now Pfizer employees' spouses suffer data compromise

From: InfoSec News (alerts@private)
Date: Fri Oct 12 2007 - 08:10:06 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042298

By Jaikumar Vijayan
October 11, 2007 
Computerworld

For the fourth time in as many months, some Pfizer Inc. employees have 
been affected by a compromise involving personal data -- though this 
time, in a somewhat indirect fashion and not as a result of a security 
breach at the company itself.

The most recent incident involves Wheels Inc., a Des Plaines, Ill.-based 
company that leases cars to Pfizer employees and their spouses.

In August, Wheels discovered that an online Web application used to 
collect information from spouses of Pfizer employees failed to employ 
proper encryption during the data transfer process, according to 
Stratford Dick, director of marketing at Wheels. As a result, personal 
information sent by about 1,800 spouses of Pfizer employees was 
transmitted in a nonencrypted fashion to Wheels during a two-week period 
in August, Dick said. The data included names, addresses, dates of birth 
and driver's license numbers. Social Security numbers were not collected 
as part of the process, Dick said.

Wheels collects the data in order to conduct a search of motor vehicles 
records to qualify spouses to drive leased company cars, Dick said.

The compromise was brought to Wheels' attention by an employee's spouse, 
Dick said, without elaborating on how that person had discovered the 
problem. Following the discovery of the breach, Wheels shut down the 
service and made sure data was being encrypted during transmission 
before turning the service back on again, he said. The company has also 
reviewed its security practices following the episode, he said, though 
he provided no further details.

The company does, however, seem to resist characterizing the failure as 
a breach. "We certainly don't think it was a breach," Dick added. "The 
term 'breach' implies that our Web site where the information was stored 
was hacked. There is no indication that the site was hacked or that the 
information was stolen."

Even though the likelihood of anyone's information having actually been 
intercepted or stolen during transmission is remote, Wheels has decided 
to offer two-years' worth of credit monitoring and credit restoration 
services free of charge to the 1,800 people affected, he said.

This is the fourth data compromise affecting Pfizer since this summer. 
The first incident surfaced in June, when Pfizer said that an employee 
had accidentally exposed Social Security numbers and other personal data 
belonging to about 17,000 of its employees on a peer-to-peer network. 
The exposure was caused by a file-sharing program the employee had 
illegally installed on a company-owned system.

A month later, the company reported that two laptops containing 
confidential employee data as well as proprietary company information 
were stolen out of the locked car of an employee working for Axia, a 
contractor for Pfizer.

Then in September, Pfizer Inc. disclosed that the personal data of as 
many as 34,000 people may have been illegally accessed and downloaded 
from a company computer system by a former employee. The compromised 
information included names, Social Security numbers, dates of birth, 
phone numbers, and bank and credit card information of employees, former 
employees and health care workers.

Pfizer did not immediately respond to a request for comment for this 
story.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Fri Oct 12 2007 - 08:45:46 PDT