Pfizer has alerted employees and the New Hampshire’s Attorney General Office that a laptop computer was stolen. The laptop computer contained sensitive information. Thankfully, drive encryption was used to protect the contents of the computer. Unfortunately, the encryption password “may have been compromised.”
Pfizer Finally Learns Its Lesson?
This is not the first time that Pfizer has been involved in a data breach. In this link I’ve got a short history of Pfizer breaches that I found in the media. To date, I know of five data breaches, including the current one.
In what may seem like crazy talk, I want to congratulate Pfizer…and not in a sarcastic way. Of the previous four breaches, three of them involved lost data storage devices that didn’t use encryption software. I’ve wondered why Pfizer was announcing what appeared to be essentially the same breach over and over, with only the number of people affected changing. One could easily put an end to such announcements by using the aforementioned encryption.
Well, they finally did. And it’s great that they did because the stolen laptop contained names, addresses, SSNs, and telephone numbers for current and former employees, healthcare professionals, service providers, and/or customers. So, congratulations to Pfizer. Jeers go to the employee, though: the “password may have been compromised.” Obviously, this is the employee’s doing.
Aren’t you curious what the employee did, though? I certainly am. “Password may have been compromised.” Other than these words, we have no more details. The presence of the word “may” is the most confusing part of all. I take it that the password was not written on the laptop with a Sharpie or taped to it. So, what is it? A Post-It note that conceivably could have come off? Or perhaps the laptop and its case were stolen, and the password was in the case, perhaps deep down in a notebook?
Regardless, it wouldn’t be safe to assume that the presence of encryption is grounds for assuming data integrity.
In addition to the use of encryption, it has been noted that the computer also employed “an additional PIN-protected electronic locking mechanism restricting access to the laptop.” You know, this is one of the most unhelpful descriptions of a safety feature that I’ve read in a while.
Are we talking about an electronic lock? For example, are flanges with holes welded on Pfizer’s laptops, allowing one to literally lock up the laptop (and in this case, some kind of electronic lock was used)?
Or are we talking about the BIOS password, a password that will prevent your computer from even booting up? The problem with such passwords is that it’s relatively easy to bypass the password: take out the motherboard’s battery and replace in a minute or so, and you’ll find that everything’s been reset (i.e., not BIOS password).