Pfizer has been in the news recently for several important reasons. Most recently and likely most significantly, due to their announcement that the company is approaching a level effectiveness with a COVID-19 vaccine that could make it ready for distribution in the near future.
A few weeks before that, though, Pfizer made headlines with a different announcement when they were forced to admit they had left the private medical data of prescription-drug users in the U.S. exposed via an unprotected Google Storage bucket.As threatpost reported on research from vpnMentor, “The exposed data includes phone-call transcripts and personally-identifiable information (PII), according to vpnMentor’s cybersecurity research team. The victims include people using pharmaceuticals like Lyrica, smoking-cessation aid Chantix, Viagra, menopause drug Premarin, and cancer treatments such as Aromasin, Depo-Medrol and Ibrance. Some of the transcripts were related to conversations about Advil, which is manufactured by Pfizer in a joint venture with GlaxoSmithKline.” The the full vpnMentor report can be read here: Major Pharmaceutical Company Exposes Private Data of US Prescription Drug Users.
Full names, home addresses, email addresses, phone numbers, partial details for health and medical status, and even call transcripts between patients and customer service representatives were all exposed. The extent of the damage with regards to how much of this data was accessed nefariously remain to be seen, but there’s no doubt the sensitivity of this data makes this breach a significant security event. The highly sensitive data, combined with additional contextual information from the transcripts, make the situation ripe for exploitation. Hackers now have identifiable targets and plenty of context with which to conduct even more nuanced phishing attacks related to the nature of past patient interaction, for example making it easier for hackers to impersonate trusted Pfizer representatives or healthcare providers.
Hopefully, positive news of a forthcoming COVID-19 vaccine continues to, rightfully, overshadow headlines on the breach. For data security professionals, though, the proximity of the news of sensitive data exposure at Pfizer and the discovery of a viable vaccine sparks concern. With the entire globe currently battling to find a way out of the COVID-19 pandemic, data related to a viable vaccine is arguably some of the most sensitive data in the world at present. Without speculating on motive, it’s safe to say the sensitivity of that data makes it a prime target for cyberattack.
Already, vaccine-related hacking incidents have proved to be an issue in 2020. For example, in a ransomware attack at the University of California at San Francisco in June of this year, attackers locked servers used by the epidemiology and biostatistics department which contained critical, sensitive Covid-19 research, costing the university about $1.14M and no doubt impeding their progress. Microsoft also recently revealed that hackers backed by Russia and North Korea have targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.
It goes without saying that the stakes are incredibly high when it comes to safeguarding data as sensitive as a vaccine data in the middle of a global pandemic. Whether theft, ransomware or any malicious access of vaccine data, any breach of vaccine research data has the potential to stall progress and have life-threatening impact.
The most effective way to protect against such a sensitive data breach is to eliminate the sensitivity of the data itself. ShardSecure achieves this through a unique approach called Microsharding, in which data is sharded into fragments as small as single digit bytes, mixed and polluted with poison shards, then distributed to multiple locations. As a result, if data is exposed, for example left un-encrypted in a cloud storage bucket as in the Pfizer incident, an attacker accessing data maliciously will never have access to a full dataset or be able to glean any value.
Hopefully, positive news related to progress on the vaccine front will dominate the headlines in the coming months rather than news on dangerous healthcare hacks. For every organization that deals with sensitive data, though, eliminating the sensitivity of data is the most effective way to proactively mitigate the negative effects of potential cyber attack and a necessary precaution in today’s data-driven world.