Pfizer's lost hard drive called an expensive and embarrassing mistake

by Steve Ragan - May 20 2009, 18:14

The recent disclosure that a Pfizer hard drive was lost after an employee inadvertently tossed it out with the trash is an expensive and embarrassing mistake, according to one data encryption expert.

The drive, which contained the names and Social Security numbers of an unknown number of people, was hopefully burned after it was collected as a part of the trash disposal process used where the Pfizer employee lived.

“I am writing to notify you of a potential data loss involving my client, Pfizer Inc, that occurred when a Pfizer employee inadvertently left a backup hard drive in a box that was discarded in the trash on March 26, 2009.” a letter from Bernard Nash, Pfizer’s council to the N.H. Attorney General stated.

“Because the municipality in which this employee resides incinerates the trash within 24 hours after it is picked up, the risk of identity theft associated with this incident is very low,” it added.

The problem here is that, while the trash is burned 24 hours after collection, no one can confirm the drive was actually destroyed. That issue alone prompted Pfizer to issue alerts and offer two years worth of credit monitoring for those assumed to have had their information on the drive. In the letter to the N.H. Attorney General, only three people were referenced, a small number, but no one knows how many similar letters were sent.

Michael Callahan, Credant Technologies senior vice president, said the fact Pfizer had to write to those people affected, as well as offer them credit and ID theft monitoring, was both embarrassing and expensive.

“If the health services company had adopted an encryption policy on its sensitive data -- whether the data is in transit or at rest -- then the accidental disposal of the drive by the New Hampshire staffer wouldn't have been the headline news for the company,” he said.

“What makes the case interesting from a policy enforcement approach is that the employee threw the drive into the trash at his home, which means that office security protectionand systems wouldn't have stopped this from happening,” Callahan added.

Another interesting observation is that the missing drive was apparently unencrypted. Pfizer would not say one way or another, but if the data was stored in clear text, then this deviates from policies implemented after the company suffered a series of data breaches in 2007 and 2008, when some 65,000 people across the U.S. were placed at risk because of data exposure.

Want regular updates from The Tech Herald? Follow us on Twitter.

Interested in a more interactive TTH? Join our Facebook Group.

Around the Web

comments powered by Disqus