Cybersecurity Researchers have uncovered a misconfigured Google Cloud Storage bucket that belongs to a Pharma giant, Pfizer.
The newly discovered leak holds private medical data of hundreds of patients that take various Pfizer drugs such as Lyrica, Chantix, Viagra, and other cancer treatment drugs. Moreover, the exposed data also includes conversations from Pfizer’s Interactive Voice Response (IVR) Customer support software.
The exposed files were found to be on a Google Cloud Storage Bucket. This is different from Google Drive, as Google Cloud Storage Bucket provides service, especially for Enterprise and Corporate customers.
Personal data of hundreds of people across the United States with some information dating back to October 2018 were found on a “completely unsecured and unencrypted” bucket on the 9th of July 2020.
Researchers have alerted Pfizer about their discovery on the 13th of July. But after numerous attempts of getting in touch with the pharma giant to take significant action, they received the following statement from Pfizer “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).”. The Researchers then shared a sample of leaked PII data found in the misconfigured bucket, which made Pfizer take appropriate action.
The bucket was only secured on the 23rd of September, and the Researchers have not received any further communications from the pharmaceutical giant.
The exposed medical transcripts from individuals include numerous forms with Personal Identifiable Information, these includes:
- Full Names
- Home Addresses
- Email Addresses
- Phone Numbers
- Partial details of Health and Medical Status
The exposed transcripts also include different medicines used to treat various cancer forms aside from products manufactured and sold by Pfizer.
- Aromasin:used to fight breast cancer.
- Chantix:used for the treatment of nicotine addiction.
- Depo-Medrol: a medicine used in a considerable number of treatments for skin diseases.
- Ibrance: used in treatment for breast cancer.
- Lyrica: medication for epilepsy, neuropathic pain, fibromyalgia, restless leg syndrome.
- Premarin: used in menopausal hormone therapy.
As per the Researchers, the folder which holds the transcript was labeled “Escalations,” assuming that they were from a department that processes and manages customer’s concerns. They were also able to capture documentation from Pfizer’s IVR support, patients asking about side effects, refills, and other medical prescription-related queries.
The below screenshots show some PII data being exposed to different conversations:
A high probability of the people affected on the mismanaged bucket is experiencing ill in their health, whether physically or emotionally.
Had a Cybercriminal gained access to the unsecured bucket, they could have used these PII data in various fraudulent activities. This may include targeting victims with fake Pfizer orchestrated Phishing campaigns, hoping to acquire more sensitive data such as credit card information. Imagine the potential impact on these people, mentally and physically, if they were to become victims by these cybercriminals out in the wild.
Pfizer is a Multinational Pharmaceutical company ranked 57 on the 2018 Fortune 500 list in the US.