2nd Pfizer Breach of 2007 Affects 950
Technorati Tag: Security Breach
Date Reported:
8/14/07
Organization:
Pfizer
Contractor/Consultant:
Axia
Number Affected:
950
Types of Data:
Name, home address, business address, home telephone number, work telephone number, cellular telephone number, fax number, fee information and Social Security number.
Breach Description:
Two laptop computers were stolen from the car of an Axia (management consulting company) employee in Boston, Massachusetts on May 31st that contained sensitive information on health care professionals providing or considering providing contract services to Pfizer.
Reference URL:
http://media.theday.com/gbl/media/dynamic/pdfnews/pfizersblumenthal.pdf
http://www.informationweek.com/news/showArticle.jhtml?articleID=201800113
Report Credit:
Sharon Gaudin, InformationWeek
Response:
From the offical breach notification letter sent to the state of Connecticut and the online article depicted above:
"on May 31st, 2007, two password-protected laptop computers owned by Axia Ltd., a consulting firm providing services for Pfizer were stolen"
[Comfyllama] Password protection does little to stop a theif other than be a nuisance. A typical statement meant to minimize the impact of the breach.
"Items other than the laptops were also taken"
[Comfyllama] So? Is this supposed to imply that the laptops were taken as part of a larger burglary, and thus were probably stolen for their hardware value? Another statement meant to minimize impact.
"To date police have not found the thief or the missing laptops, but because information on the laptops was "backed-up" by Axia's computer system, data were preserved."
[Comfyllama] Seriously, what does this have to do with the fact that confidential information is no longer be confidential because of Axia's and Pfizer's lack of control. The information on the laptops should be considered disclosed. Great, the data is "backed-up" so it can be lost again! Or, is this statement meant to provide some type of assurance that Axia follows some kind of security best practice by backing up data? Ugh!
Pfizer and Axia are providing one year of credit protection and restoration service through Identity Safegaurds (IDS) for affected individuals.
Commentary:
I am really miffed when a consulting company loses data. You would think that a consulting company would be able to follow "best practices". Why was this data on the laptops, and why were these laptops not encrypted? When will these consulting companies learn?
To add insult to injury, the letter goes on and on in an attempt to minimize the situation. After four paragraphs of description and minimizing, victims finally get an apology in the fifth paragraph of the letter.
Past Breaches:
17,000 Current and Former Pfizer Employees Exposed (May, 30th 2007)
Date Reported:
8/14/07
Organization:
Pfizer
Contractor/Consultant:
Axia
Number Affected:
950
Types of Data:
Name, home address, business address, home telephone number, work telephone number, cellular telephone number, fax number, fee information and Social Security number.
Breach Description:
Two laptop computers were stolen from the car of an Axia (management consulting company) employee in Boston, Massachusetts on May 31st that contained sensitive information on health care professionals providing or considering providing contract services to Pfizer.
Reference URL:
http://media.theday.com/gbl/media/dynamic/pdfnews/pfizersblumenthal.pdf
http://www.informationweek.com/news/showArticle.jhtml?articleID=201800113
Report Credit:
Sharon Gaudin, InformationWeek
Response:
From the offical breach notification letter sent to the state of Connecticut and the online article depicted above:
"on May 31st, 2007, two password-protected laptop computers owned by Axia Ltd., a consulting firm providing services for Pfizer were stolen"
[Comfyllama] Password protection does little to stop a theif other than be a nuisance. A typical statement meant to minimize the impact of the breach.
"Items other than the laptops were also taken"
[Comfyllama] So? Is this supposed to imply that the laptops were taken as part of a larger burglary, and thus were probably stolen for their hardware value? Another statement meant to minimize impact.
"To date police have not found the thief or the missing laptops, but because information on the laptops was "backed-up" by Axia's computer system, data were preserved."
[Comfyllama] Seriously, what does this have to do with the fact that confidential information is no longer be confidential because of Axia's and Pfizer's lack of control. The information on the laptops should be considered disclosed. Great, the data is "backed-up" so it can be lost again! Or, is this statement meant to provide some type of assurance that Axia follows some kind of security best practice by backing up data? Ugh!
Pfizer and Axia are providing one year of credit protection and restoration service through Identity Safegaurds (IDS) for affected individuals.
Commentary:
I am really miffed when a consulting company loses data. You would think that a consulting company would be able to follow "best practices". Why was this data on the laptops, and why were these laptops not encrypted? When will these consulting companies learn?
To add insult to injury, the letter goes on and on in an attempt to minimize the situation. After four paragraphs of description and minimizing, victims finally get an apology in the fifth paragraph of the letter.
Past Breaches:
17,000 Current and Former Pfizer Employees Exposed (May, 30th 2007)
Posts Atom 1.0
Comments