BreachExchange mailing list archives
Pharma giant Pfizer exposes patient data on unsecured cloud storage
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 21 Oct 2020 09:33:21 -0500
https://siliconangle.com/2020/10/20/pharma-giant-pfizer-exposes-patient-data-unsecured-cloud-storage/ Global pharmaceutical giant Pfizer Inc. has suffered a data breach with patient information found exposed on unsecured cloud storage. Discovered and publicized today by researchers at vpnMentor, the exposed data was found on a misconfigured Google Cloud storage bucket. The data included hundreds of conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs including Lyrica, Chantix, Viagra and cancer treatments Ibrance and Aromasin. Along with confidential medical information, the transcripts included full names, home addresses and email addresses, all of which could be used by hackers to target patients with highly effective phishing campaigns. “Hackers could easily trick victims by appearing as Pfizer’s customer support department and referencing the conversations taking place in the transcripts,” the researchers explained. “For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.” The potential of financial information phishing aside, the researchers also warned of the risk of the data being used to target patients with malicious software or even ransomware. The further risk is that if hackers used the personally identifiable information to trick a patient into providing more information, the combined data could be used for fraud including identity theft, potentially destroying a person’s financial well-being. Disturbingly, the data remained exposed online for months after it was first discovered. The researchers reached out to Pfizer twice in July with no response before further attempting to contact the company on Sept. 22. The company finally responded the third time, with the data being taken offline on Sept. 23. As of the time of writing, Pfizer has not confirmed the report nor issued a statement. Given that the data appears to be legitimate, Pfizer could face legal action for the data breach. If any of the patients were residents of California, the California Consumer Privacy Act applies. Becoming law in January, the act, along with providing consumer privacy protection, also allows consumers to bring legal action for statutory damages in the event of a data breach from a business’ failure to implement reasonable security procedures. Leaving a Google Cloud storage bucket open to all and sundry would certainly meet the definition of not taking reasonable security measures. That Pfizer has leaked data comes as no great surprise given its history. The company had three data breaches in 2007 and in an incident in 2019 “inadvertently left a backup hard drive in a box that was discarded in the trash.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Pharma giant Pfizer exposes patient data on unsecured cloud storage Destry Winant (Oct 21)