Hackers have broken through the "front door" of online data storage units used by pharmaceutical giant Pfizer and leaked hundreds of chatbot conversations and patient information.
Scores of victims could now be exposed to phishing scams after having their full names, home addresses and email contacts taken from a misconfigured Google Cloud storage bucket.
Data included hundreds of conversations between customers and chatbots enquiring about cancer drugs, epilepsy medication and Viagra.
It is not known how many patients were in the UAE.
When administrators leave the front door open it's unsurprising attackers walk straight in unnoticed
Cybercrime experts said the blunder could lead to patients inadvertently handing over bank card information to criminals claiming to process bogus prescriptions.
“While name, addresses, and email addresses are not highly sensitive information like birth dates or social security numbers, the conversations could reveal very private medical data,” said Morey Haber, chief technology officer at BeyondTrust, a cyber security company in the UAE.
“The information could easily lead to future spear phishing attacks because the details about an individual would make a potential attack credible.
“Pfizer did not know the data was accessible nor [that] it was obtained.
“It is feasible therefore to assume the data has been accessed in the past as well.”
Phishing is the most common technique used by hackers to extract restricted data or gain access to accounts by encouraging users to relinquish passwords.
Sensitive information about patients, who asked questions online about smoking cessation drug, Chantix, was also obtained by hackers.
The breach was reported to Pfizer and regulators by online security researchers at tech-company vpnMentor.
They said the information remained exposed online for months before action was taken to remove it in September.
It is the fifth similar failure to secure patient information by Pfizer, that has offices in Dubai Media City, following incidents in 2007 and 2019.
"Pfizer is aware that a small number of non-HIPAA data records on a vendor operated system used for feedback on existing medicines were inadvertently publicly available," Pfizer said in response.
"We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals."
Industry experts said cloud storage is becoming increasingly difficult to secure as hacking techniques become more sophisticated.
In 2014, celebrities including Jennifer Lawrence, Rihanna and Kim Kardashian were among those who had compromising photos leaked online after cloud storage was hacked.
A two-step verification process was then introduced to bolster security around Apple’s iCloud data storage service.
“The recent Pfizer data breach tells us it is extremely difficult for even the largest companies in the world to secure their data every hour, every day and every week,” said Sam Curry, chief security officer at Cybereason, a company working with businesses in the UAE to bolster online defences.
“It's irrelevant whether an internal or external error led to this data breach.
“The digital footprint for enterprises is expanding at such a rapid pace, errors will occur and data will be exposed.
“Customers want transparency and guarantees that the company will continue to make sure data protection is their top priority.”
Read More
Explainer: How to avoid phone and email scams
Phishing scam 'webcam' warning as UAE residents find themselves targets
Passwords no longer enough to protect users from cybercrime, former hackers say
Chat conversations between human and chatbots that give an automated conversation response were some of the information exposed in the leak.
While replies were preprogrammed into the solution, humans would realistically have to answer a series of questions to determine the proper response.
Those questions were designed to provide a high confidence in the results and often forced the exposure of more information to obtain the desired results.
“As no system, or person, is ever perfect, the ability to monitor, detect and respond to unauthorised or malicious access to cloud services can make the difference between a contained security incident and a full-blown breach as being reported at Pfizer,” said Matt Walmsley, a tech industry analyst and director at Vectra AI.
“We performed analysis on Office 365 – the worlds most used software and service cloud – and identified how attackers are using existing tools and services within the cloud to spy and steal.
“When administrators inadvertently leave the front door open it’s unsurprising that attackers walk straight in and out unnoticed.”
Opening Premier League fixtures, August 14
- Brentford v Arsenal
- Burnley v Brighton
- Chelsea v Crystal Palace
- Everton v Southampton
- Leicester City v Wolves
- Manchester United v Leeds United
- Newcastle United v West Ham United
- Norwich City v Liverpool
- Tottenham v Manchester City
- Watford v Aston Villa
Avatar: Fire and Ash
Director: James Cameron
Starring: Sam Worthington, Sigourney Weaver, Zoe Saldana
Rating: 4.5/5
How to avoid crypto fraud
- Use unique usernames and passwords while enabling multi-factor authentication.
- Use an offline private key, a physical device that requires manual activation, whenever you access your wallet.
- Avoid suspicious social media ads promoting fraudulent schemes.
- Only invest in crypto projects that you fully understand.
- Critically assess whether a project’s promises or returns seem too good to be true.
- Only use reputable platforms that have a track record of strong regulatory compliance.
- Store funds in hardware wallets as opposed to online exchanges.
'The worst thing you can eat'
Trans fat is typically found in fried and baked goods, but you may be consuming more than you think.
Powdered coffee creamer, microwave popcorn and virtually anything processed with a crust is likely to contain it, as this guide from Mayo Clinic outlines:
Baked goods - Most cakes, cookies, pie crusts and crackers contain shortening, which is usually made from partially hydrogenated vegetable oil. Ready-made frosting is another source of trans fat.
Snacks - Potato, corn and tortilla chips often contain trans fat. And while popcorn can be a healthy snack, many types of packaged or microwave popcorn use trans fat to help cook or flavour the popcorn.
Fried food - Foods that require deep frying — french fries, doughnuts and fried chicken — can contain trans fat from the oil used in the cooking process.
Refrigerator dough - Products such as canned biscuits and cinnamon rolls often contain trans fat, as do frozen pizza crusts.
Creamer and margarine - Nondairy coffee creamer and stick margarines also may contain partially hydrogenated vegetable oils.
The years Ramadan fell in May
UAE currency: the story behind the money in your pockets
Ten tax points to be aware of in 2026
1. Domestic VAT refund amendments: request your refund within five years
If a business does not apply for the refund on time, they lose their credit.
2. E-invoicing in the UAE
Businesses should continue preparing for the implementation of e-invoicing in the UAE, with 2026 a preparation and transition period ahead of phased mandatory adoption.
3. More tax audits
Tax authorities are increasingly using data already available across multiple filings to identify audit risks.
4. More beneficial VAT and excise tax penalty regime
Tax disputes are expected to become more frequent and more structured, with clearer administrative objection and appeal processes. The UAE has adopted a new penalty regime for VAT and excise disputes, which now mirrors the penalty regime for corporate tax.
5. Greater emphasis on statutory audit
There is a greater need for the accuracy of financial statements. The International Financial Reporting Standards standards need to be strictly adhered to and, as a result, the quality of the audits will need to increase.
6. Further transfer pricing enforcement
Transfer pricing enforcement, which refers to the practice of establishing prices for internal transactions between related entities, is expected to broaden in scope. The UAE will shortly open the possibility to negotiate advance pricing agreements, or essentially rulings for transfer pricing purposes.
7. Limited time periods for audits
Recent amendments also introduce a default five-year limitation period for tax audits and assessments, subject to specific statutory exceptions. While the standard audit and assessment period is five years, this may be extended to up to 15 years in cases involving fraud or tax evasion.
8. Pillar 2 implementation
Many multinational groups will begin to feel the practical effect of the Domestic Minimum Top-Up Tax (DMTT), the UAE's implementation of the OECD’s global minimum tax under Pillar 2. While the rules apply for financial years starting on or after January 1, 2025, it is 2026 that marks the transition to an operational phase.
9. Reduced compliance obligations for imported goods and services
Businesses that apply the reverse-charge mechanism for VAT purposes in the UAE may benefit from reduced compliance obligations.
10. Substance and CbC reporting focus
Tax authorities are expected to continue strengthening the enforcement of economic substance and Country-by-Country (CbC) reporting frameworks. In the UAE, these regimes are increasingly being used as risk-assessment tools, providing tax authorities with a comprehensive view of multinational groups’ global footprints and enabling them to assess whether profits are aligned with real economic activity.
Contributed by Thomas Vanhee and Hend Rashwan, Aurifer
The bio
Date of Birth: April 25, 1993
Place of Birth: Dubai, UAE
Marital Status: Single
School: Al Sufouh in Jumeirah, Dubai
University: Emirates Airline National Cadet Programme and Hamdan University
Job Title: Pilot, First Officer
Number of hours flying in a Boeing 777: 1,200
Number of flights: Approximately 300
Hobbies: Exercising
Nicest destination: Milan, New Zealand, Seattle for shopping
Least nice destination: Kabul, but someone has to do it. It’s not scary but at least you can tick the box that you’ve been
Favourite place to visit: Dubai, there’s no place like home
