Third Data Breach At Pharmaceutical Company Shows The Importance of Endpoint Security – An Update.

Well, it looks like some of the things I said might happen, due to the Pfizer security breach, materialized in short order.  According to this article in, a Connecticut publication, there has been a lot of activity at Pfizer World, Pfizer’s secure intranet.


Based on this article, the security breach was discovered in July 10; however, potentially affected employees were not alerted of this fact until August 28, seven weeks later.  Also, it seems there is some confusion on the number of employees affected.  The security breach in an earlier article stated that it affected more than 38,000 employees.  Within Pfizer World, it seems the employee count of 50,000 is brought up quite often (technically, more than 38,000.  But still, that is a heck of a margin of error).


About 120 employees vented their frustration, anonymously, of course.  Based on the potential number of employees affected, it seems like a small number by comparison.  I am sure, however, that there are plenty of employees who would have loved to post something but haven’t, knowing that there is no real anonymity in an electronic network, intranet or otherwise.  (I think one of the rules of thumb followed in such instances is that one person stands for two thousand people.  It wouldn’t apply in this case, since it would overtake the actual number of employees around the globe working for Pfizer.)


It looks like the employees understand that this is not Pfizer’s fault, however. The complaints by Pfizer employees included in the article are mostly critical of Pfizer’s stance in alerting employees in a not-so timely manner. 


As pointed out, though, the first thing that happens when you alert the world of a security breach is that the perpetrator will cease activities, a lot of the times just temporarily.  It is not inconceivable that Pfizer might have needed seven weeks to figure out how the security breach was pulled off, and whether there was a way to find and catch the criminal red-handed.  Of course, if Pfizer had caught the perpetrator, there wouldn’t be such a ruckus.  It looks like Pfizer wasn’t able to, though, and the company is now caught between a rock and a hard place: Pfizer waited too much to alert employees and has nothing to show for the delay.


There are also complaints by the employees that the consumer fraud protection plan offered by Pfizer is too short.  Some people would like to have five years of protection as opposed to the currently-offered two years.  Some are also concerned that it’s not only their data but their family’s information that has been leaked out into the world, and are wondering whether the protection plan would be extended to family members as well.  One wonders why Pfizer had data on family members to begin with….for extending insurance to family members?


I mentioned intangible ramifications in my previous posting regarding Pfizer’s newest security breach.  Although such ramifications can not be measured their effects are only too real.  You can bet that this situation is hurting Pfizer’s productivity, and the same goes for morale.  One wonders how many people are seriously debating on quitting their jobs at this venerated pharmaceutical company.  How many people are calling up their credit card companies to find out if there were any unauthorized transactions as opposed to working on what might be a new breakthrough pill? 


This is on top of the latest troubles the company is facing.  Their stock not going anywhere; the recent round of layoffs (and future ones, too, I think); the loss of patents of a variety of blockbuster drugs (this is probably why the stock is going nowhere); the recent cancellation of trials for Torcetrapib, which was by all accounts the savior drug for the company once Lipitor went off exclusivity; and the other two security breaches.


When you consider the devastating outcome, potential and real, it is a bad strategy not to have a policy for ensuring that your company data is secure. As mentioned before, a simple service offered by AlertBoot would have been invaluable in this case.  Not only could have the device been encrypted and password protected to prevent unauthorized access, individual files could have been encrypted as well for double the security.


The electronic revolution is allowing us to do things faster and better, including the bad stuff.  In this day and age, and especially in the high-tech sector, electronic device and information security is paramount.  Services such as AlertBoot should be thought of as, not an extra expenditure in the IT department or overhead that does not contribute towards the bottom line, but as insurance.

Comments (0)

Let us know what you think