

Global pharmaceutical giant Pfizer Inc. has suffered a data breach with patient information found exposed on unsecured cloud storage.
Discovered and publicized today by researchers at vpnMentor, the exposed data was found on a misconfigured Google Cloud storage bucket. The data included hundreds of conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs including Lyrica, Chantix, Viagra and cancer treatments Ibrance and Aromasin.
Along with confidential medical information, the transcripts included full names, home addresses and email addresses, all of which could be used by hackers to target patients with highly effective phishing campaigns.
“Hackers could easily trick victims by appearing as Pfizer’s customer support department and referencing the conversations taking place in the transcripts,” the researchers explained. “For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.”
The potential of financial information phishing aside, the researchers also warned of the risk of the data being used to target patients with malicious software or even ransomware. The further risk is that if hackers used the personally identifiable information to trick a patient into providing more information, the combined data could be used for fraud including identity theft, potentially destroying a person’s financial well-being.
Disturbingly, the data remained exposed online for months after it was first discovered. The researchers reached out to Pfizer twice in July with no response before further attempting to contact the company on Sept. 22. The company finally responded the third time, with the data being taken offline on Sept. 23.
As of the time of writing, Pfizer has not confirmed the report nor issued a statement.
Given that the data appears to be legitimate, Pfizer could face legal action for the data breach. If any of the patients were residents of California, the California Consumer Privacy Act applies. Becoming law in January, the act, along with providing consumer privacy protection, also allows consumers to bring legal action for statutory damages in the event of a data breach from a business’ failure to implement reasonable security procedures. Leaving a Google Cloud storage bucket open to all and sundry would certainly meet the definition of not taking reasonable security measures.
That Pfizer has leaked data comes as no great surprise given its history. The company had three data breaches in 2007 and in an incident in 2019 “inadvertently left a backup hard drive in a box that was discarded in the trash.”
Support our open free content by sharing and engaging with our content and community.
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.