Some 34,000 Pfizer Inc. workers, including some current and former employees in Michigan, are at risk for identity theft, according to a letter to employees obtained by The Detroit News.
According to the Aug. 24 letter, a security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed.
The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10.
It's the third time since late May that Pfizer has made public a security breach that exposed current and former employees' personal information.
Company officials last week confirmed the latest breach, and said they were informing affected workers and offering them credit monitoring, identity theft insurance and other protections. No identity theft or other misuse of the information has been reported to Pfizer in connection with the incident.
Michigan workers were among those affected, said Ray Kerins, senior director for public affairs and policy at New York-based Pfizer. He did not disclose an exact number, nor did he say where the breach occurred.
At the beginning of the year, Pfizer employed about 6,400 workers in the state, mostly in Kalamazoo and Ann Arbor. But that number is quickly dropping as the drug maker closes down its research and development center in Ann Arbor by the end of next year. That facility employed 2,100 people when Pfizer announced it was closing in January.
Others risks revealed
In a separate incident in May, Pfizer workers learned information was compromised after a spouse downloaded file-sharing software to a company laptop. Then in July, 17,000 workers learned they were at risk after a laptop with sensitive data on it was stolen from a contractor's vehicle.
The latest breach is likely the most serious because it appears the now ex-employee maliciously went after the data, said Judd Rousseau, chief operations officer of Identify Theft 911, an Arizona-based identity management company.
"This appears to be an intentional theft which puts potential victims in the highest-risk category," he said. "The perpetrator likely knew the value of this information."
Pfizer is taking steps to protect its workforce. The letter to employees stated that the three major credit agencies were informed of the breach, and employees were offered $50,000 of identity theft insurance and two years of credit monitoring at no charge.
"These were three separate and distinct incidences," Pfizer's Kerins said. "This is a serious matter we are doing everything we can to protect our colleagues."
Kerins said law enforcement is also investigating the latest breach.
Expert: 3 breaches are rare
While the number of data thefts is clearly on the rise, seeing a company struck three times in such a short period is rare, Rousseau said.
"One breach can happen to anyone," he said. "By the third breach you are starting to show a pattern. It wouldn't shock me if you start seeing litigation in connection to this."
Pfizer's protection package goes beyond what many other companies offer affected employees, Rousseau said, but he was surprised that Pfizer waited six weeks to inform employees.
Employees who believe their data is at risk should act proactively, said Greg Guidice, CEO of RazorThreat, a Royal Oak network security company.
"They should take action before it's a problem," he said. "Notify your bank and your mortgage company have your credit card company reissue your cards."