Monday, June 11, 2007

Pfizer screws up royally: 17,000 employee names and SS numbers copied by thieves

To read this sad story, including letter from Pfizer's lawyers, simply click on each image below.

According to Pfizer, "the breach occurred when the spouse of a Pfizer employee loaded unauthorized software onto the employee's Pfizer laptop computer. The software allowed outsiders access to a number of files, that included the names and social security numbers of the affected Pfizer employees."

Pfizer also writes that 15,700 employees "had their data accessed and copied" and 1,250 "may have had their data copied" by thieves.

Clearly Pfizer is trying to put the blame on the employee who's spouse loaded file sharing software onto a Pfizer computer, and as expected on Pfizer's message board on CafePharma other employees are now asking for this employee's head on a plate.

But is the story that simple?

No company with one hundred thousand employees can assure that each employee always does the right thing, much less their spouses.

What they can and should do is to assure there are appropriate routines and encryption in place to protect sensitive data even if such data is leaked.

Clearly Pfizer didn't care enough to do that.

This data breach will cause major challenges not only for Pfizer employees; the privacy of former employees has also been violated.

The fact that it has been confirmed that our names and social security numbers have been copied by anonymous individuals means that there is a significant likelihood that this information is now being traded on illicit websites; selling these numbers and names to be used in financial fraud and fake documents.

I have not received my letter yet, but I'm checking my mailbox every day.

Thank you, Pfizer!







This story has circulated on CafePharma for a few days, here, here, and here, and today Ed Silverman posted the actual documents.

4 comments:

Anonymous said...

Any word on how far back this database of employee info. goes (e.g. Current employees only, Only employees still employed as of 2006, Only those employed as of 2005 and since, etc.)???

Any chance this would affect an employee who left in 2004???

Anonymous said...

What a bunch of idiots. Why you put this sort of info on a LAPTOP in the first place?

Scott Bartz said...

Data security in the big Pharma company I worked for was utterly ridiculous. I regularily received files and worked with data that included employee: SS#, Name, Address, email, & Phone# for entire sales forces. I, and thousands of other employees had access to this data. When files were saved, they were saved to both a shared drive and my laptop. Furthermore, this data was given to vendors whose security was even worse. And of course, I have documents to back this up.

Peter Rost said...

If you do have documents to back that up you know where to send them!

Of course, no such personal data will be posted here, but the story sure will.

Plus perhaps a few redacte documents . . .