Pharmaceutical giant Pfizer has been exposing private medical information of US prescription-drug users for months, according to vpnMentor’s cybersecurity research team.
The sensitive data was stored on a misconfigured Google Cloud Storage bucket. Researchers even found some information dating back to October 2018, speculating that the database could have been accessible for nearly two years.
“The exposed data related to conversations between Pfizer’s automated customer support software and people using its prescription pharmaceutical drugs, including Lyrica, Chantix, Viagra, and cancer treatments Ibrance and Aromasin,” researchers said.
“In total, there were 100s of transcripts from individuals across the USA, with more being uploaded during our investigation.”
A review of the transcripts revealed additional personal Identifiable Information (PII), including full names, home addresses, email addresses, phone numbers and details of patients’ health and medical status.
The database was secured on September 23, after several failed attempts to contact the pharma giant. The researchers emphasized that it took Pfizer two months to reply to their initial report.
“From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all),” Pfizer said.
However, after vpnMentor’s investigator sent a sample containing customer information, Pfizer immediately secured the database.
“We then shared a file with a sample of their customers’ PII data that we found in the Google bucket,” researchers added. “After this, they finally secured the bucket, but never replied to our messages again.”
If criminals had stolen the information, customers could face targeted phishing attacks that could lead to further data exposure and even financial losses. Bad actors could have easily tricked victims into revealing financial data by posing as Pfizer customer support representatives and referring to the information in the transcripts.
“If cybercriminals succeeded in tricking a victim into providing additional PII data, they could use this to pursue various forms of fraud, including total identity theft,” vpnMentor researchers noted. “In doing so, they could destroy a person’s financial wellbeing and create tremendous difficulty in their personal lives.”