The Connecticut attorney general has launched an investigation into the compromise of up to 17,000 of Pfizer employees, including some 300 employees within his home state. Pfizer would not comment on when the breach occurred other than to say it involved a Pfizer employee who had taken the data home on a laptop, a machine that subsequently became compromised. The data, including the employees' name, home address, bonus information, and Social Security number, was surreptitiously uploaded and later appeared on an Internet site. Pfizer did not know how much of that information had been copied or used by others.
The company has offered the affected employees $25,000 in insurance to cover any costs resulting from the breach. Employees were asked to respond within 90 days. In a letter dated June 6, Attorney General Richard Blumenthal asked the pharmaceutical company to also freeze the affected employees' credit ratings and pay any fees associated.
Internal leaks of sensitive data are an emerging problem for enterprises. "Although the lost laptop appears to be the trend that people focus on," said Devin Redmond, director of the security product group at Websense, "the trend is more that (personal data) goes out over the Web." Redmond said that spyware and malware tend to be targeted to a specific organization, even specific file types. The potential attacker includes competing companies or organized crime.
Redmond said companies should discover where their assets are and then implement IT policies to protect them. For employee-issued laptops, this may include restricting or filtering Web sites that may be visited with that machine. As for employees wanting to take files home on a flash drive, ports and burners on the office desktop can be prevented from copying sensitive documents.