It has been reported that pharmaceutical giant, Pfizer, exposed the personal information of hundreds of prescription drug takers for over two months due to a cloud misconfiguration, according to new research from vpnMentor. A team led by Noam Rotem and Ran Locar discovered the Google Cloud Storage bucket containing the data as part of an ongoing web mapping project. It was completely unsecured and unencrypted when found. The bucket apparently contained transcripts between users of Pfizer drugs and the firm’s interactive voice response (IVR) customer support software. Each transcript included full names, home and email addresses, phone numbers and partial health and medical status. The drugs in question included anti-cancer treatments, medication for epilepsy and hormone therapy, treatment for nicotine addiction and Viagra.
A Pfizer spokesperson said: “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event, we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals.”
Tim Erlin, VP at Tripwire, said: “If you have data in the cloud, you must, absolutely must check the configuration of those data stores for access permissions, and you must do so continuously. Leaving sensitive data exposed through the misconfiguration of cloud storage is entirely preventable.”
Click below to share this article
