Encryption error at Wheels Inc. leads to Pfizer breach
Technorati Tag: Security Breach
Date Reported:
10/10/07
Organization:
Pfizer
Contractor/Consultant/Branch:
Wheels Inc.
Victims:
Pfizer sales employees
Number Affected:
1,800
Types of Data:
Name, address, date of birth, and driver's license number
Breach Description:
Wheels Inc. confirms that personal information relating to 1,800 Pfizer employees was released onto the Internet over a two-week period during data transmissions. The information involved in this breach was transmitted to Wheels Inc. via an unencrypted Web site used to conduct background checks on employees involved with vehicle leases.
Reference URL:
Story at TheDay.com
Story at Pharmalot
Report Credit:
Ed Silverman, Pharmalot
Response:
From the online resources cited above:
"The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force."
"The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company."
"“As soon as we realized what happened, we shut the site down,” " - Stratford Dick, marketing director at the Illinois-based Wheels
"the problem did not involve a breach of the company Web site; instead, it occurred at various times over a two-week period during data transmissions from individuals responding to questions posed through an online Web application"
"The information, sent to the Wheels site unencrypted, was used as part of background checks"
"He said the company discovered the lack of encryption when a Pfizer spouse asked Wheels to confirm receipt of the data."
"Dick said the company has not notified state Attorney General Richard Blumenthal about the breach, since it has been advised that this was unnecessary. He said industry experts believe the misuse of personal information in this case is unlikely."
[Comfyllama] Unlikely is a subjective term. The fact of the matter is that Wheels Inc. made a mistake that put the information they DO NOT own at unecessary risk.
"the leasing company is offering two years of credit-protection and credit-restoration services free of charge, including credit monitoring, access to fraud-resolution help and insurance reimbursement."
[Comfyllama] As I stated in the Commerce Bank breach, two years is twice what has become the standard and provides much more protection. Wheels Inc. deserves some credit for this decision.
"Wheels apologized for the incident and said it is reviewing its data-collection systems to avoid another privacy breach in the future."
Commentary:
This is the fourth breach affecting Pfizer employees this year. Although Pfizer is a huge company and I feel sympathy for any breach victim, I feel a little extra for any employee that was affected by more than one of these breaches. That would make for a real crappy year and little peace of mind.
Wheels Inc. made a mistake, admitted it and took a prudent course of action (other than choosing not to notify the CT Attorney General). It stinks that they learn their lesson at the expense of another. There are primarily two places where encryption should always be used when dealing with confidential data, at rest and in transit.
Past Breaches:
For Wheels Inc.:
Unknown
For Pfizer:
June, 2007 - 17,000 Pfizer employees exposed due to P2P software
August, 2007 - 950 Pfizer employees have information on stolen laptop
September, 2007 - 34,000 Pfizer employees affected by unauthorized file removal
Date Reported:10/10/07
Organization:
Pfizer
Contractor/Consultant/Branch:
Wheels Inc.
Victims:
Pfizer sales employees
Number Affected:
1,800
Types of Data:
Name, address, date of birth, and driver's license number
Breach Description:
Wheels Inc. confirms that personal information relating to 1,800 Pfizer employees was released onto the Internet over a two-week period during data transmissions. The information involved in this breach was transmitted to Wheels Inc. via an unencrypted Web site used to conduct background checks on employees involved with vehicle leases.
Reference URL:
Story at TheDay.com
Story at Pharmalot
Report Credit:
Ed Silverman, Pharmalot
Response:
From the online resources cited above:
"The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force."
"The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company."
"“As soon as we realized what happened, we shut the site down,” " - Stratford Dick, marketing director at the Illinois-based Wheels
"the problem did not involve a breach of the company Web site; instead, it occurred at various times over a two-week period during data transmissions from individuals responding to questions posed through an online Web application"
"The information, sent to the Wheels site unencrypted, was used as part of background checks"
"He said the company discovered the lack of encryption when a Pfizer spouse asked Wheels to confirm receipt of the data."
"Dick said the company has not notified state Attorney General Richard Blumenthal about the breach, since it has been advised that this was unnecessary. He said industry experts believe the misuse of personal information in this case is unlikely."
[Comfyllama] Unlikely is a subjective term. The fact of the matter is that Wheels Inc. made a mistake that put the information they DO NOT own at unecessary risk.
"the leasing company is offering two years of credit-protection and credit-restoration services free of charge, including credit monitoring, access to fraud-resolution help and insurance reimbursement."
[Comfyllama] As I stated in the Commerce Bank breach, two years is twice what has become the standard and provides much more protection. Wheels Inc. deserves some credit for this decision.
"Wheels apologized for the incident and said it is reviewing its data-collection systems to avoid another privacy breach in the future."
Commentary:
This is the fourth breach affecting Pfizer employees this year. Although Pfizer is a huge company and I feel sympathy for any breach victim, I feel a little extra for any employee that was affected by more than one of these breaches. That would make for a real crappy year and little peace of mind.
Wheels Inc. made a mistake, admitted it and took a prudent course of action (other than choosing not to notify the CT Attorney General). It stinks that they learn their lesson at the expense of another. There are primarily two places where encryption should always be used when dealing with confidential data, at rest and in transit.
Past Breaches:
For Wheels Inc.:
Unknown
For Pfizer:
June, 2007 - 17,000 Pfizer employees exposed due to P2P software
August, 2007 - 950 Pfizer employees have information on stolen laptop
September, 2007 - 34,000 Pfizer employees affected by unauthorized file removal
Posts Atom 1.0
Comments