Pfizer waited six weeks to disclose breach that exposed data on thousands

Spouse and file-sharing program at the center of data compromise

A letter from Pfizer Inc.'s attorney to Connecticut Attorney General Richard Blumenthal shows the drug maker first learned of a data breach involving about 17,000 of its employees on April 18 -- six weeks before the company started notifying them of the incident on June 1.

The July 11 letter, signed by Bernard Nash of Dickstein Shapiro LLP, also said that that a "small group" of additional individuals may have been affected by the breach, in addition to the 17,000 that were originally reported.

Nash's letter, which was posted online by New London, Conn.-based The Day, was in response to a note Blumenthal has sent on June 6 to Pfizer. In it Blumenthal sought a full explanation of the circumstances surrounding the breach, in which personal data belonging to about 17,000 Pfizer workers was exposed by a file-sharing program that had been illegally installed on a company laptop.

According to Pfizer's original notice, about 15,700 individuals actually had their data accessed and copied by an unknown number of persons on a peer-to-peer network. The company said that while data on the rest of the affected individuals may have been exposed, it could not confirm if the information had actually been copied.

Among the issues that Blumenthal sought clarifications on were the measures that Pfizer had in place prior to the breach to protect against data compromises, as well as information about when the company discovered the breach and how it responded to the incident. Blumenthal's letter also asked Pfizer to describe how it was able to make a distinction between the data that was actually copied and data that might only potentially have been accessed.

In his formal response on Pfizer's behalf, Nash said that Pfizer learned of the incident on April 18 when an independent computer consultant informed the company that he had found Pfizer data on a peer-to-peer network.

The compromise occurred on March 26 when the spouse of a Pfizer employee used the employee's password to access the computer and install an unauthorized file-sharing software program on it, Nash said. However, he offered no explanation on why the company waited until June 1 to inform those affected by the breach.

"That software was configured by the spouse so that other users of the file-sharing network could access certain files that the spouse had stored in the employees' laptop," Nash said. "Unfortunately, the software configuration also allowed users of the file-sharing network to access certain other files -- Pfizer files -- contained on the laptop," Nash noted in his letter.

In addition to the personal data on Pfizer employees, other information pertaining to the company's pharmaceutical sales business and operations was compromised, he said. Some of the users on the file-sharing network who accessed Pfizer files were using newer file-sharing software versions that recorded the fact that certain files had been copied, Nash said.

As a result, Pfizer was able to determine which of the files had been actually accessed and copied and which ones may have only been exposed, he added.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon