[BreachExchange] Pharma giant Pfizer exposes patient data on unsecured cloud storage

[Destry Winant]

https://siliconangle.com/2020/10/20/pharma-giant-pfizer-exposes-patient-data-unsecured-cloud-storage/

Global pharmaceutical giant Pfizer Inc. has suffered a data breach
with patient information found exposed on unsecured cloud storage.

Discovered and publicized today by researchers at vpnMentor, the
exposed data was found on a misconfigured Google Cloud storage bucket.
The data included hundreds of conversations between Pfizer’s automated
customer support software and people using its prescription
pharmaceutical drugs including Lyrica, Chantix, Viagra and cancer
treatments Ibrance and Aromasin.

Along with confidential medical information, the transcripts included
full names, home addresses and email addresses, all of which could be
used by hackers to target patients with highly effective phishing
campaigns.

“Hackers could easily trick victims by appearing as Pfizer’s customer
support department and referencing the conversations taking place in
the transcripts,” the researchers explained. “For example, many people
were enquiring about prescription refills and other queries. Such
circumstances give cybercriminals a great opportunity to pose as
Pfizer and request card details in order to proceed with the refills.”

The potential of financial information phishing aside, the researchers
also warned of the risk of the data being used to target patients with
malicious software or even ransomware. The further risk is that if
hackers used the personally identifiable information to trick a
patient into providing more information, the combined data could be
used for fraud including identity theft, potentially destroying a
person’s financial well-being.

Disturbingly, the data remained exposed online for months after it was
first discovered. The researchers reached out to Pfizer twice in July
with no response before further attempting to contact the company on
Sept. 22. The company finally responded the third time, with the data
being taken offline on Sept. 23.

As of the time of writing, Pfizer has not confirmed the report nor
issued a statement.

Given that the data appears to be legitimate, Pfizer could face legal
action for the data breach. If any of the patients were residents of
California, the California Consumer Privacy Act applies. Becoming law
in January, the act, along with providing consumer privacy protection,
also allows consumers to bring legal action for statutory damages in
the event of a data breach from a business’ failure to implement
reasonable security procedures. Leaving a Google Cloud storage bucket
open to all and sundry would certainly meet the definition of not
taking reasonable security measures.

That Pfizer has leaked data comes as no great surprise given its
history. The company had three data breaches in 2007 and in an
incident in 2019 “inadvertently left a backup hard drive in a box that
was discarded in the trash.”