Unauthorised laptop software causes security breach at Pfizer

Bill Brenner, Senior News Writer

Thursday 14 June 2007 10:39

Pfizer has admitted that the identities of 17,000 current and former employees were compromised when an employee's spouse installed unauthorised file-sharing software on a company laptop where the data was stored.

Pfizer attorney Bernard Nash said in a letter (.pdf) to attorneys general in states where affected employees live that names and Social Security numbers were exposed and that the pharmaceutical company will offer them a free year of credit monitoring.

"This software allowed outsiders access to a number of files that included the names and Social Security numbers of the affected employees." Nash said in the letter. "Based on Pfizer's thorough investigation to this point, it appears that the affected employees can be grouped into two categories -- approximately 15,700 who actually had their data accessed and copied, and approximately 1,250 who may have had their data accessed and copied."

Nash's letter included copies of notices being sent to employees.

"Our investigation revealed that certain files containing your data were accessed and copied," the letter to those exposed said. "Based on our investigation to date, we have no reason to believe that any other personally identifiable information was exposed. Also, because the laptop was being used to access the Internet outside the Pfizer network environment, there are no associated risks to any other data systems maintained by Pfizer. We apologise for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you."

The company recommended employees call 866-274-3891 to get the credit monitoring services.

Connecticut Attorney General Richard Blumenthal (305 Pfizer employees in Connecticut) has asked Pfizer to provide details on whatever security policies were in place before the breach, as well as information about when the breach was discovered and how Pfizer responded. Blumenthal also wants the company to explain how it was able to determine which information was actually exposed. The company has until June 22 to answer those questions.