Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Pharma giant Pfizer exposed PII of hundreds of prescription drug users

Global pharmaceutical company Pfizer exposed the personal information of hundreds of prescription drug users in the US by failing to secure a Google Cloud Storage bucket that stored conversations between Pfizer’s automated customer support software and its customers.

According to security researchers at vpnMentor who discovered the misconfigured bucket, the bucket most likely belonged to Pfizer’s US Drug Safety Unit (DSU) and contained transcripts between users of various Pfizer drugs and the company’s interactive voice response (IVR) customer support software.

The researchers stumbled upon the misconfigured bucket belonging to Pfizer in July when they were conducting port scanning to examine particular IP blocks and test different systems for vulnerabilities. They found that the Google Cloud Storage bucket was completely unsecured and unencrypted and after verifying who the bucket belonged to, contacted Pfizer a few days later.

In the meantime, vpnMentor found that the misconfigured database stored transcripts of conversations between Pfizer’s interactive voice response (IVR) customer support software and users of prescription drugs as well as transcripts of conversations between human customer support agents and customers.

In all, there were hundreds of transcripts of conversations between the company and its customers, and each transcript contained information about prescription drugs being used by customers as well as their full names, home addresses, email addresses, phone numbers, and partial details of their health and medical status.

Anyone with access to the misconfigured bucket could view which prescription drug manufactured by Pfizer was purchased by each customer. The list of drugs mentioned in the transcripts included Chantix, Depo-Medrol, Lyrica, Premarin, Viagra, Advil, as well as cancer treatment drugs such as Aromasin and Ibrance.

“Had malicious or criminal hackers accessed the data stored on Pfizer’s Google Cloud bucket, they could have exploited it in numerous ways, targeting drug users in various fraudulent schemes. Using the PII data revealed in the transcripts, combined with details of medicine prescriptions and usage, hackers could target those exposed with highly effective phishing campaigns,” vpnMentor said.

“Pharmaceutical companies hold a great deal of responsibility to keep the data of their customers secure and private. Not only is this a moral responsibility. It’s the law. By exposing these transcripts to the public, Pfizer committed a basic lapse in data security and a breach of confidentiality, with significant implications for the wellbeing of the people exposed,” it added.

After being contacted by vpnMentor, Pfizer took over two months to respond to the firm and when it did, it played down the impact of the data leak. “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all),” a company employee told vpnMentor. The company finally secured the misconfigured Google storage bucket after vpnMentor shared a sample of its customers’ PII data that was stored in the bucket.


Read More: Driving licenses of 54k Australians leaked via a misconfigured S3 bucket

Copyright Lyonsdown Limited 2021

Top Articles

Australian energy giant CS Energy suffers a ransomware attack

Australian energy company CS Energy suffered a ransomware attack on November 27 that targeted its corporate network.

Misconfiguration of a management user interface (UI) tool leads to exposure of mission-critical data

Kafdrop, a popular open-source Apache Kafka user and management interface had configuration flaws that provided criminals with access to event-streaming platform Apache Kafka used by more than 60 per cent…

ICO serves £500,000 fine to the Cabinet Office for New Year Honours data breach

The ICO has fined the Cabinet Office £500,000 for failing to prevent the leak of postal addresses of over 1,000 people who were among the 2020 New Year Honours recipients.

Related Articles

[s2Member-Login login_redirect=”” /]