by Martin H.
Bosworth
ConsumerAffairs.com
September 8, 2007
Pharmaceutical giant Pfizer continues to suffer a streak of embarrassing data breaches, as the company reported its third loss of sensitive information in as many months.
Even worse, a network security company claims hundreds of Pfizer's computers have been hijacked by spammers to send e-mails touting junk stocks and erectile dysfunction enhancements--including Pfizer's own flagship product Viagra.
Rick Wesson, CEO of Support Intelligence, told Wired magazine that his company had identified 138 blacklisted IP addresses coming from Pfizer that were the origin points for spam e-mails. The e-mails were disguised as coming from Google's free Gmail Web mail service.
The hijacked computers may be part of a "botnet," a group of computers infested with worms or viruses that slave them to a master computer and turn them into spam-generating machines. Users are often unaware that their computers have been slaved to botnets, as the process takes up little memory and is difficult to detect.
Wesson claimed that Support Intelligence has repeatedly tried to inform Pfizer of the problem, citing similar discoveries the company made for Bank of America and Toshiba, but Pfizer has yet to respond. "If they (were aware), they would have taken care of the problem," Wesson said.
Data Breach
In the latest data breach, Pfizer disclosed that an employee had downloaded sensitive information from the company's computer network without permission in late 2006. The information included names, Social Security numbers, dates of birth, addresses, financial and employment data.
The breach was not discovered until July 10--more than eight months after it occurred--and the company did not start sending out notifications to affected individuals until August 23.
Pfizer spokespersons did not disclose how the breach was discovered, how the employee performed it in the first place, or why it took so long to notify authorities and affected individuals. Attorney Bernard Nash, representing Pfizer, confirmed only that the unidentified employee had been fired in a letter to New Hampshire Attorney General Kelly Ayotte.
Nash claimed that there was no evidence that any of the information had been used for identity theft, but Pfizer would pay for credit protection services and work with law enforcement to investigate the breach in any case.
Pfizer had previously disclosed a data breach in July caused by sharing sensitive information over a file-sharing network. Laptops containing sensitive personal information on Pfizer contractors were stolen from employees of a consulting firm in August.
