Laptop is stolen from Pfizer independent contractor
Technorati Tag: Security Breach
Date Reported:
3/19/08
Organization:
Pfizer Inc.
Contractor/Consultant/Branch:
Unnamed independent contractor
Victims:
Present and former employees and individuals providing contract services
Number Affected:
~800
Types of Data:
"names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other travel and logistics information"
Breach Description:
"We are writing to let you know that a laptop stolen from a Pfizer contractor's locked home on February 7, 2008 unfortunately contained some of your personal information along with personal information belonging to approximately 800 present and former Pfizer employees and other individuals providing services to Pfizer."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to give you notice of a recent data security incident involving an independent contractor working for my client, Pfizer Inc ("Pfizer").
[Evan] Pfizer is getting pretty good at this whole breach notification thing. This is #5 for Pfizer since last August.
On February 7, 2008, the home of the contractor, who assists in arranging and planning travel and meetings for Pfizer, was burglarized and the contractor's laptop computer was stolen.
Some information about present and former Pfizer employees and individuals providing contract services to Pfizer was stored on that laptop.
[Evan] Does Pfizer allow employees and contractors to take sensitive personal information home on laptops? Without encryption?
The police were notified immediately, but no arrests have been made, and the laptop has not been recovered.
The contractor maintained an external back-up hard drive of the laptop's contents, and from the initial examination of the back-up it appears that the laptop contained information about approximately 800 individuals
[Evan] Excellent, so there were (at least) two unprotected copies of this confidential information. Does anyone else see a problem with this?
The forensic review to date indicates that the information included names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other tracel and logistics information.
The forensic review is ongoing, but it does not appear that any passwords or PIN codes for the credit cards were exposed, nor were any Social Security numbers exposed.
The laptop was password protected.
[Evan] So? We've said it here before, password protection (likely operating system) is NOT adequate protection. Although there is no perfect protection, the use of encryption reduces risk of exposure to a level that is acceptable for most applications.
At this time Pfizer is not aware that any person has inappropriately used any exposed information, but the Company is continuing to monitor the situation.
The data exposed by this incident does not appear to be the type that triggers a notification requirement under your state's data breach statute.
Nonetheless, Pfizer has made a corporate decision to notify affected individuals about the theft of the information and the steps they can take to minimize any potential impact.
[Evan] Wise decision. I can think of more wise decisions…
Pfizer is planning to send notification letters to all affected individuals within the next few days
Pfizer has arranged to provide all affected individuals with the opportunity to sign-up for a full 2-year package of credit-protection services and identity theft insurance, free of charge.
[Evan] Two years is twice the amount of time that is usually given.
Both Pfizer and our contractor deeply regret this incident and any concerns it may raise.
If you have questions, please send an email to or call our Helpline mailbox at 212 733-0228.
Commentary:
There is no mention of encryption in the breach notification, nor is there any mention of company policy. Six breaches in the past 12 months speaks for itself.
Past Breaches:
May, 2007 - 17,000 Current and Former Pfizer Employees Exposed
August, 2007 - 2nd Pfizer Breach of 2007 Affects 950
September, 2007 - Pfizer Breach Exposes Details on Estimated 34,000
September, 2007 - 68,767 Patients Affected by McKesson Stolen Computers
October, 2007 - Encryption error at Wheels Inc. leads to Pfizer breach
Date Reported:3/19/08
Organization:
Pfizer Inc.
Contractor/Consultant/Branch:
Unnamed independent contractor
Victims:
Present and former employees and individuals providing contract services
Number Affected:
~800
Types of Data:
"names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other travel and logistics information"
Breach Description:
"We are writing to let you know that a laptop stolen from a Pfizer contractor's locked home on February 7, 2008 unfortunately contained some of your personal information along with personal information belonging to approximately 800 present and former Pfizer employees and other individuals providing services to Pfizer."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to give you notice of a recent data security incident involving an independent contractor working for my client, Pfizer Inc ("Pfizer").
[Evan] Pfizer is getting pretty good at this whole breach notification thing. This is #5 for Pfizer since last August.
On February 7, 2008, the home of the contractor, who assists in arranging and planning travel and meetings for Pfizer, was burglarized and the contractor's laptop computer was stolen.
Some information about present and former Pfizer employees and individuals providing contract services to Pfizer was stored on that laptop.
[Evan] Does Pfizer allow employees and contractors to take sensitive personal information home on laptops? Without encryption?
The police were notified immediately, but no arrests have been made, and the laptop has not been recovered.
The contractor maintained an external back-up hard drive of the laptop's contents, and from the initial examination of the back-up it appears that the laptop contained information about approximately 800 individuals
[Evan] Excellent, so there were (at least) two unprotected copies of this confidential information. Does anyone else see a problem with this?
The forensic review to date indicates that the information included names and credit card numbers, as well as, in some instances, credit card expiration dates, home and/or business addresses, home and/or business and/or cell phone numbers, personal and/or business e-mail addresses, hotel loyalty program numbers and other tracel and logistics information.
The forensic review is ongoing, but it does not appear that any passwords or PIN codes for the credit cards were exposed, nor were any Social Security numbers exposed.
The laptop was password protected.
[Evan] So? We've said it here before, password protection (likely operating system) is NOT adequate protection. Although there is no perfect protection, the use of encryption reduces risk of exposure to a level that is acceptable for most applications.
At this time Pfizer is not aware that any person has inappropriately used any exposed information, but the Company is continuing to monitor the situation.
The data exposed by this incident does not appear to be the type that triggers a notification requirement under your state's data breach statute.
Nonetheless, Pfizer has made a corporate decision to notify affected individuals about the theft of the information and the steps they can take to minimize any potential impact.
[Evan] Wise decision. I can think of more wise decisions…
Pfizer is planning to send notification letters to all affected individuals within the next few days
Pfizer has arranged to provide all affected individuals with the opportunity to sign-up for a full 2-year package of credit-protection services and identity theft insurance, free of charge.
[Evan] Two years is twice the amount of time that is usually given.
Both Pfizer and our contractor deeply regret this incident and any concerns it may raise.
If you have questions, please send an email to or call our Helpline mailbox at 212 733-0228.
Commentary:
There is no mention of encryption in the breach notification, nor is there any mention of company policy. Six breaches in the past 12 months speaks for itself.
Past Breaches:
May, 2007 - 17,000 Current and Former Pfizer Employees Exposed
August, 2007 - 2nd Pfizer Breach of 2007 Affects 950
September, 2007 - Pfizer Breach Exposes Details on Estimated 34,000
September, 2007 - 68,767 Patients Affected by McKesson Stolen Computers
October, 2007 - Encryption error at Wheels Inc. leads to Pfizer breach
Posts Atom 1.0
Its definitely sad that a company such as Phizer does not enforce full disk encryption on all portable computers. You would have thought that they would have learned from past experiences, but as the saying goes "History will repeat itself". Maybe if tougher penalties and fines are enforced on companies, they will determine that encryption would be the best way to protect the loss of PII information that is stored on laptops.... Just my thought.
Reply to this