Global pharmaceutical company Pfizer exposed the personal information of hundreds of prescription drug users in the US by failing to secure a Google Cloud Storage bucket that stored conversations between Pfizer’s automated customer support software and its customers.
According to security researchers at vpnMentor who discovered the misconfigured bucket, the bucket most likely belonged to Pfizer's US Drug Safety Unit (DSU) and contained transcripts between users of various Pfizer drugs and the company’s interactive voice response (IVR) customer support software.
The researchers stumbled upon the misconfigured bucket belonging to Pfizer in July when they were conducting port scanning to examine particular IP blocks and test different systems for vulnerabilities. They found that the Google Cloud Storage bucket was completely unsecured and unencrypted and after verifying who the bucket belonged to, contacted Pfizer a few days later.
In the meantime, vpnMentor found that the misconfigured database stored transcripts of conversations between Pfizer's interactive voice response (IVR) customer support software and users of prescription drugs as well as transcripts of conversations between human customer support agents and customers.
In all, there were hundreds of transcripts of conversations between the company and its customers, and each transcript contained information about prescription drugs being used by customers as well as their full names, home addresses, email addresses, phone numbers, and partial details of their health and medical status.
Anyone with access to the misconfigured bucket could view which prescription drug manufactured by Pfizer was purchased by each customer. The list of drugs mentioned in the transcripts included Chantix, Depo-Medrol, Lyrica, Premarin, Viagra, Advil, as well as cancer treatment drugs such as Aromasin and Ibrance.
"Had malicious or criminal hackers accessed the data stored on Pfizer’s Google Cloud bucket, they could have exploited it in numerous ways, targeting drug users in various fraudulent schemes. Using the PII data revealed in the transcripts, combined with details of medicine prescriptions and usage, hackers could target those exposed with highly effective phishing campaigns," vpnMentor said.
"Pharmaceutical companies hold a great deal of responsibility to keep the data of their customers secure and private. Not only is this a moral responsibility. It’s the law. By exposing these transcripts to the public, Pfizer committed a basic lapse in data security and a breach of confidentiality, with significant implications for the wellbeing of the people exposed," it added.
After being contacted by vpnMentor, Pfizer took over two months to respond to the firm and when it did, it played down the impact of the data leak. “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all),” a company employee told vpnMentor. The company finally secured the misconfigured Google storage bucket after vpnMentor shared a sample of its customers’ PII data that was stored in the bucket.