Global pharmaceutical giant Pfizer Inc. has suffered a huge data breach, with patient information found exposed on unsecured cloud storage.
The exposed data was found on a misconfigured Google Cloud storage bucket. The data included hundreds of conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs including Lyrica, Chantix, Viagra and cancer treatments Ibrance and Aromasin. Along with confidential medical information, the transcripts included full names, home addresses and email addresses, all of which could be used by hackers to target patients with highly effective phishing campaigns.
Commenting on the news, Boris Cipot, senior security engineer at Synopsys, said: “Storing data within a cloud container has become the norm today. However, it seems that few systems are built on the principle of ‘security by design’, often leaving customer data unprotected. All data, from personal medical information to data which can be misused in spamming, phishing or even extorsion campaigns, should be protected at the highest level. Every company that handles customer data needs to be aware that systems used to store, and process data must be made resilient; instances of misconfiguration cannot persist.”
Sam Curry, chief security officer at Cybereason, added: “What the recent Pfizer data breach tells us is that it is extremely difficult for even the largest companies in the world to secure their data every hour, every day and every week. It’s irrelevant whether an internal or external error led to this data breach, because the digital footprint for enterprises is expanding at such a rapid pace that errors will occur and data will be exposed. However, it is incumbent upon Pfizer to continue to do everything humanly possible to protect its IP, customer and partner data and all proprietary information. In this case, Pfizer can’t play the victim card as there certainly aren’t any customers interested in hearing excuses. What they want is transparency and guarantees that the company will continue to make sure data protection is their top priority. Let this be another wake up call for all companies to improve their security, use threat hunting services to discover malicious operations quickly so that hackers are stopped in their tracks before material damage occurs.”