Pfizer Exposes Data on Hundreds of Prescription Drug Users

  • Pharma huge Pfizer uncovered the personal information and facts of hundreds of prescription drug takers for around two months owing to a cloud misconfiguration, according to new investigate from vpnMentor.

    A staff led by Noam Rotem and Ran Locar found out the Google Cloud Storage bucket that contains the data as section of an ongoing web mapping project. It was totally unsecured and unencrypted when identified on July 9, 2020.

    The bucket apparently contained transcripts involving users of Pfizer medications and the firm’s interactive voice response (IVR) customer guidance software program, as very well as “escalations” to support brokers.

    Every transcript incorporated complete names, household and email addresses, phone numbers and partial well being and medical status. The drugs in dilemma provided anti-cancer treatments, treatment for epilepsy and hormone treatment, cure for nicotine habit and Viagra.

    VpnMentor argued that any cyber-criminals able to get maintain of this info could have utilized it to craft extremely convincing phishing strategies with victims referencing the contact transcripts. Some prospects were contacting for prescription refills, which could have presented an prospect for scammers to ask for credit rating card specifics, for illustration.

    “At the time of the information breach, Coronavirus was even now surging across the US,” vpnMentor added. “If cyber-criminals experienced productively robbed from or defrauded somebody using medicine for anxiety in any way, the possible effects on their psychological overall health is immeasurable.”

    Regrettably, the pharmaceutical giant’s reaction to the results wasn’t great. It evidently took around two months to reply, and then only with the subsequent: “From the URL you gave, I unsuccessful to see how it is important Pfizer knowledge (or even an crucial information at all).”

    The scientists ended up then pressured to share a file with a sample of customers’ personally identifiable info (PII) for the business to consider motion, on September 23—although it never ever responded to them all over again.