Hackers target Pfizer exposing sensitive patient information

Global attack reveals sensitive patient conversations about cancer drugs, Viagra and epilepsy medication

Reflection of male hacker coding working hackathon at laptop
Powered by automated translation

Hackers have broken through the "front door" of online data storage units used by pharmaceutical giant Pfizer and leaked hundreds of chatbot conversations and patient information.

Scores of victims could now be exposed to phishing scams after having their full names, home addresses and email contacts taken from a misconfigured Google Cloud storage bucket.

Data included hundreds of conversations between customers and chatbots enquiring about cancer drugs, epilepsy medication and Viagra.

It is not known how many patients were in the UAE.

When administrators leave the front door open it's unsurprising attackers walk straight in unnoticed

Cybercrime experts said the blunder could lead to patients inadvertently handing over bank card information to criminals claiming to process bogus prescriptions.

“While name, addresses, and email addresses are not highly sensitive information like birth dates or social security numbers, the conversations could reveal very private medical data,” said Morey Haber, chief technology officer at BeyondTrust, a cyber security company in the UAE.

“The information could easily lead to future spear phishing attacks because the details about an individual would make a potential attack credible.

“Pfizer did not know the data was accessible nor [that] it was obtained.

“It is feasible therefore to assume the data has been accessed in the past as well.”

Phishing is the most common technique used by hackers to extract restricted data or gain access to accounts by encouraging users to relinquish passwords.

Sensitive information about patients, who asked questions online about smoking cessation drug, Chantix, was also obtained by hackers.

The breach was reported to Pfizer and regulators by online security researchers at tech-company vpnMentor.

FILE PHOTO: A man walks past a sign outside Pfizer Headquarters in the Manhattan borough of New York City, New York, U.S., July 22, 2020. REUTERS/Carlo Allegri/File Photo
Pfizer headquarters in New York. Carlo Allegri / Reuters

They said the information remained exposed online for months before action was taken to remove it in September.

It is the fifth similar failure to secure patient information by Pfizer, that has offices in Dubai Media City, following incidents in 2007 and 2019.

"Pfizer is aware that a small number of non-HIPAA data records on a vendor operated system used for feedback on existing medicines were inadvertently publicly available," Pfizer said in response.

"We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals."

Industry experts said cloud storage is becoming increasingly difficult to secure as hacking techniques become more sophisticated.

In 2014, celebrities including Jennifer Lawrence, Rihanna and Kim Kardashian were among those who had compromising photos leaked online after cloud storage was hacked.

A two-step verification process was then introduced to bolster security around Apple’s iCloud data storage service.

“The recent Pfizer data breach tells us it is extremely difficult for even the largest companies in the world to secure their data every hour, every day and every week,” said Sam Curry, chief security officer at Cybereason, a company working with businesses in the UAE to bolster online defences.

“It's irrelevant whether an internal or external error led to this data breach.

“The digital footprint for enterprises is expanding at such a rapid pace, errors will occur and data will be exposed.

“Customers want transparency and guarantees that the company will continue to make sure data protection is their top priority.”

Read More

Chat conversations between human and chatbots that give an automated conversation response were some of the information exposed in the leak.

While replies were preprogrammed into the solution, humans would realistically have to answer a series of questions to determine the proper response.

Those questions were designed to provide a high confidence in the results and often forced the exposure of more information to obtain the desired results.

“As no system, or person, is ever perfect, the ability to monitor, detect and respond to unauthorised or malicious access to cloud services can make the difference between a contained security incident and a full-blown breach as being reported at Pfizer,” said Matt Walmsley, a tech industry analyst and director at Vectra AI.

“We performed analysis on Office 365 – the worlds most used software and service cloud – and identified how attackers are using existing tools and services within the cloud to spy and steal.

“When administrators inadvertently leave the front door open it’s unsurprising that attackers walk straight in and out unnoticed.”