TechGuard Blog

Pharma Giant Leaks Customer PII and Info

Big Pharma giant Pfizer has been leaking customer data in the U.S. for months and possibly even years due to an unprotected cloud storage bucket. Pfizer exposed data such as phone-call transactions and personal identifiable information (PII).

The leak comes from the misconfiguration of a storage bucket that was most likely owned by Pfizer’s U.S. Drug and Safety Unit. The PII exposed in this misconfigured bucket included full names, addresses, email addresses, phone numbers, and partial details of health and medical status. Another alarming disclosure of the leak was the transcripts of the customer support lines that related to side effects and prescription refills.

The bucket was open to the internet as recently as July with no credentials required to access it. The bucket was finally made private on September 23rd.


The Attack on Customers

The large quantity of exposed data means that customers are now vulnerable to a wide range of cyber-attacks. The personal information that Pfizer has can now be used by attackers to impersonate Pfizer’s customer service representatives.

It isn’t hard for us to imagine the sorts of schemes that hackers could now use to target the customers affected by this leak. If they wanted to get more information about the customer, they could pose as a representative and get it directly. If a customer is looking for a prescription refill, a cybercriminal might tell them they need to provide their credit card information over the phone to get one. They could steal the prescriptions and cause havoc in the lives of the victim. Just with the information they have now and a convincing phishing email, it could even lead to an affected Pfizer customer getting their identity stolen.

The chances that hackers might use this information to infect the home networks of customers is also high. Cybercriminals could use the information to create a believable email containing a malicious link or download. With the data leaked, it would not be difficult to get someone to click a link that then, in turn, infects the network that the user is on. The possibilities are virtually endless.


Cloud Misconfigurations Are Common

A study done by Comparitech shows that 6% of Google cloud buckets are not configured correctly and are available for anyone on the internet to see and access the contents. Misconfigurations are still all too common with data breaches. This fall, we saw data from an estimated 100,000 customers of Razer, the gaming gear company, exposed due to a misconfigured Elasticsearch server. There have been many other companies fallen victim to cloud misconfiguration breaches, including Broadvoice and the Wales arm of the U.K National Health Service.


How to Protect Yourself

Unfortunately, breaches like these aren’t going away anytime soon, and even worse, there’s not much that you, as a consumer, can do about companies losing your data once they’ve acquired it. However, that doesn’t mean you have zero control. One thing to keep in mind is that you can control how much of your data a company has. Also, make sure you aren’t using the same username and passwords across multiple accounts with different companies. This way, even if a hacker figures out your credentials for one account, they won’t be able to access other accounts and do even more damage.

Finally, educate yourself on phishing and social engineering attacks. Learn the signs and how hackers craft them. Make sure you’re not haphazardly clicking links and attachments in emails before evaluating their legitimacy. Always remember, if an email seems suspicious, it probably is.

Written by Matthew Rech