Severe neglect of the computer equipment of pharmaceutical giant Pfizer led to the leaking of sensitive medical information from hundreds of patients in the U.S., all due to a misconfigured implementation of Google Cloud.
Apparently the information exposed includes transcripts of phone calls and personal information, in addition to medical information, mentions a vpnMentor report. Records even specify whether users use controlled medications or supplements such as Chantix, Lyrica, Viagra, Premarin, among other substances.
Personal data exposed during the incident include details such as:
- Full names
- Addresses
- Email addresses
- Partial details of medical records
- Transcript records
Specialists consider this to be a troubling incident because the transcripts are related to Pfizer’s automated customer service system. Using this system, the company maintained extensive records of its customers’ inquiries, creating a large confidential database.
Specialists discovered the information exposed in an unsyged bucket (usernames and passwords) last July. Although the company was immediately notified, the bucket was secured until September 23: “After sharing a file with a sample of sensitive company customer data, the bucket was secured, although Pfizer has not added further details about the incident,” the specialists mention.
Threat actors could abuse this information in a variety of ways, so it is necessary for the company to take the necessary steps to protect affected customers from attempts at fraud, phishing, among other attacks.
Using this information, attackers could also extract additional information about a patient (the address of their home, for example) in order to completely steal the victim’s identity: “Hackers could hijack prescription replenishments or, in the worst case, destroy a person’s financial well-being and create tremendous difficulty in their personal life”, concludes the report of the specialists.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.