Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Global pharmaceutical company Pfizer exposed the personal information of hundreds of prescription drug users in the US by failing to secure a Google Cloud Storage bucket that stored conversations between Pfizer’s automated customer support software and its customers.

According to security researchers at vpnMentor who discovered the misconfigured bucket, the bucket most likely belonged to Pfizer's US Drug Safety Unit (DSU) and contained transcripts between users of various Pfizer drugs and the company’s interactive voice response (IVR) customer support software.

The researchers stumbled upon the misconfigured bucket belonging to Pfizer in July when they were conducting port scanning to examine particular IP blocks and test different systems for vulnerabilities. They found that the Google Cloud Storage bucket was completely unsecured and unencrypted and after verifying who the bucket belonged to, contacted Pfizer a few days later.

In the meantime, vpnMentor found that the misconfigured database stored transcripts of conversations between Pfizer's interactive voice response (IVR) customer support software and users of prescription drugs as well as transcripts of conversations between human customer support agents and customers.

In all, there were hundreds of transcripts of conversations between the company and its customers, and each transcript contained information about prescription drugs being used by customers as well as their full names, home addresses, email addresses, phone numbers, and partial details of their health and medical status.

Anyone with access to the misconfigured bucket could view which prescription drug manufactured by Pfizer was purchased by each customer. The list of drugs mentioned in the transcripts included Chantix, Depo-Medrol, Lyrica, Premarin, Viagra, Advil, as well as cancer treatment drugs such as Aromasin and Ibrance.

"Had malicious or criminal hackers accessed the data stored on Pfizer’s Google Cloud bucket, they could have exploited it in numerous ways, targeting drug users in various fraudulent schemes. Using the PII data revealed in the transcripts, combined with details of medicine prescriptions and usage, hackers could target those exposed with highly effective phishing campaigns," vpnMentor said.

"Pharmaceutical companies hold a great deal of responsibility to keep the data of their customers secure and private. Not only is this a moral responsibility. It’s the law. By exposing these transcripts to the public, Pfizer committed a basic lapse in data security and a breach of confidentiality, with significant implications for the wellbeing of the people exposed," it added.

After being contacted by vpnMentor, Pfizer took over two months to respond to the firm and when it did, it played down the impact of the data leak. “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all),” a company employee told vpnMentor. The company finally secured the misconfigured Google storage bucket after vpnMentor shared a sample of its customers’ PII data that was stored in the bucket.

 

Read More: Driving licenses of 54k Australians leaked via a misconfigured S3 bucket

Copyright Lyonsdown Limited 2021

Top Articles

300% increase in global cyber attacks

According to NTT's Global Threat Intelligence Report, there has been a 300% increase in cyber attacks globally Manufacturing, healthcare and finance industries all saw an increase in attacks globally (300%,…

US pipeline giant Colonial Pipeline suffers disruptive DarkSide ransomware attack

Colonial Pipeline suffered a DarkSide ransomware attack late last week that forced it to shut all pipeline operations.

NCSC's Active Cyber Defence programme helped sink 70k online scams in 2020

NCSC's Active Cyber Defence programme, which includes the Suspicious Email Reporting Service, helped in taking down over 70,000 online scams totalling 1.4 million URLs last year.

Related Articles