Data Breach No. 4 Comes From Outside Pfizer

October 10, 2007

By Lee Howard

Pfizer Inc. employees, already wracked by three data breaches this year, have been getting notices in their mailboxes about yet another security problem, this time with no direct connection to the company.

The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. It could not be determined how many local residents were affected, but a company spokeswoman pointed out that the Pfizer Global Research & Development benefits package does not include company cars and salespeople do not work out of local offices.

The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company.

Stratford Dick, marketing director at the Illinois-based Wheels, confirmed the breach in a phone interview Tuesday and said the company fixed the security problem soon after it was discovered.

"As soon as we realized what happened, we shut the site down," Dick said.

Dick said the problem did not involve a breach of the company Web site; instead, it occurred at various times over a two-week period during data transmissions from individuals responding to questions posed through an online Web application. The information, sent to the Wheels site unencrypted, was used as part of background checks Pfizer requires so the significant others of Pfizer employees can be approved to drive leased company cars, Dick said.

He said the company discovered the lack of encryption when a Pfizer spouse asked Wheels to confirm receipt of the data.

Dick said the company has not notified state Attorney General Richard Blumenthal about the breach, since it has been advised that this was unnecessary. He said industry experts believe the misuse of personal information in this case is unlikely.

Still, the leasing company is offering two years of credit-protection and credit-restoration services free of charge, including credit monitoring, access to fraud-resolution help and insurance reimbursement.

Wheels apologized for the incident and said it is reviewing its data-collection systems to avoid another privacy breach in the future.

"We are very appreciative of Wheels' prompt action to correct this issue when it was identified and for their offer to extend credit protection to people involved," Pfizer said in a statement.

In three previous incidents, about 52,000 names, addresses and Social Security numbers of Pfizer employees were put in jeopardy during a series of incidents last summer. The incidents, each of which put employees at risk of identity theft, ranged from two laptops being stolen from a locked car to a violation of company policy in the use of file-sharing software to the theft of data by a former employee.

Pfizer has since instituted security changes that it says will make the loss of personal information in the future less likely.

main page ATTRITION feedback