Global pharmaceutical giant Pfizer Inc. has suffered a data breach with patient information found exposed on unsecured cloud storage.

Discovered and publicized today by researchers at vpnMentor, the exposed data was found on a misconfigured Google Cloud storage bucket. The data included hundreds of conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs including Lyrica, Chantix, Viagra and cancer treatments Ibrance and Aromasin.

Along with confidential medical information, the transcripts included full names, home addresses and email addresses, all of which could be used by hackers to target patients with highly effective phishing campaigns.

“Hackers could easily trick victims by appearing as Pfizer’s customer support department and referencing the conversations taking place in the transcripts,” the researchers explained. “For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.”

The potential of financial information phishing aside, the researchers also warned of the risk of the data being used to target patients with malicious software or even ransomware. The further risk is that if hackers used the personally identifiable information to trick a patient into providing more information, the combined data could be used for fraud including identity theft, potentially destroying a person’s financial well-being.

Disturbingly, the data remained exposed online for months after it was first discovered. The researchers reached out to Pfizer twice in July with no response before further attempting to contact the company on Sept. 22. The company finally responded the third time, with the data being taken offline on Sept. 23.

As of the time of writing, Pfizer has not confirmed the report nor issued a statement.

Given that the data appears to be legitimate, Pfizer could face legal action for the data breach. If any of the patients were residents of California, the California Consumer Privacy Act applies. Becoming law in January, the act, along with providing consumer privacy protection, also allows consumers to bring legal action for statutory damages in the event of a data breach from a business’ failure to implement reasonable security procedures. Leaving a Google Cloud storage bucket open to all and sundry would certainly meet the definition of not taking reasonable security measures.

That Pfizer has leaked data comes as no great surprise given its history. The company had three data breaches in 2007 and in an incident in 2019 “inadvertently left a backup hard drive in a box that was discarded in the trash.”

Photo: Waleed Alzuhair/Flickr