Pharma giant Pfizer exposed the personal information of hundreds of prescription drug takers for over two months due to a cloud misconfiguration, according to new research from vpnMentor.
A team led by Noam Rotem and Ran Locar discovered the Google Cloud Storage bucket containing the data as part of an ongoing web mapping project. It was completely unsecured and unencrypted when found on July 9, 2020.
The bucket apparently contained transcripts between users of Pfizer drugs and the firm’s interactive voice response (IVR) customer support software, as well as “escalations” to support agents.
Each transcript included full names, home and email addresses, phone numbers and partial health and medical status. The drugs in question included anti-cancer treatments, medication for epilepsy and hormone therapy, treatment for nicotine addiction and Viagra.
VpnMentor argued that any cyber-criminals able to get hold of this data could have used it to craft highly convincing phishing campaigns with victims referencing the call transcripts. Some customers were calling for prescription refills, which could have provided an opportunity for scammers to request credit card details, for example.
“At the time of the data breach, Coronavirus was still surging across the US,” vpnMentor added. “If cyber-criminals had successfully robbed from or defrauded someone taking medication for anxiety in any way, the potential impact on their mental health is immeasurable.”
Unfortunately, the pharmaceutical giant’s response to the findings wasn’t great. It apparently took over two months to respond, and then only with the following: “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).”
The researchers were then forced to share a file with a sample of customers’ personally identifiable information (PII) for the firm to take action, on September 23—although it never responded to them again.