Shostack + Friends Blog Archive

 

Pfizer's little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company.

A Pfizer spokesman called the breaches “three separate and distinct incidences” that bear no relationship to each other.
(Dark Reading, “Pfizer: Strike Three“)

There are several interpretations that spring to mind. The first is that all are related by poor infosec practice at Pfizer. The second is that Pfizer is doing a better job of honest reporting than other organizations.

If you’re a CEO confronted with these losses, your first instinct is going to be to cover up. To ask what you can do to avoid getting sued. It may make more sense to level with employees, and explain to them what’s going on.

As Rich Mogul points out, “you have to feel for the employees who don’t have much of a choice to go anywhere “more” secure.”

Hard as it is to confront these mistakes, covering it up and being caught is going to be a lot worse.

If only Pfizer made a drug to stiffen backbones.

3 comments on "Pfizer's little problem"

  • Tripwise says:

    I would make a comment about not being able to keep their defenses up, but…
    While I hate to say it, unless and until the onus of liability for breaches falls onto the entity in a leaked record (not the one who leaked it) or the governments legislate crushing penalties, these reports don’t matter.
    Small entities currently fall below most reporting thresholds and large entities can absorb the cost of notification, credit watches, and civil suits. TJX stock increased nearly 10 percent since their breach of 40,000,000 records – much more than any reasonable estimate of the costs associated with the breach.
    Until end-users are held responsible for their data management practices – write or wrong, non-geek consumers will not vote with their dollars. Additionally, CRUSHING legislation may help as costs must be passed on to consumers, who will move elsewhere for services. Right now, they get free credit reporting and the vast majority never have adverse financial effects given credit card insurance or write-off practices.

  • Anon says:

    If you think that’s bad, in a twist of irony, some apprently botnet-infected computers inside of Pfizer are also spewing Viagra spam:
    http://www.wired.com/politics/security/news/2007/09/pfizerspam
    aN0n

  • buy generic viagra says:

    cheap@viagra.com
    [How could I not let this one through? Killed the URL. – ed]

Comments are closed.