I see. So without Filesharing, it would have been perfectly acceptable to have 17,000 staff records on a laptop?
Casual use of file sharing by the spouse of an unnamed Pfizer worker has been blamed for leaking personal information on more than 17,000 current and former employees at the pharmaceutical giant. Unauthorised installation of a P2P package on a company laptop led to the exposure of worker data, presumably after a directory …
So all these leaked details will suddenly disappear during the course of a year?
The workers can get new numbers so their old details are invalid then?
Not good enough, can happen to any one anywhere, my old employer was trying to email all our names, address, DOB, nat ins no, bank details in an Excel Spreadsheet lastyear. The people in charge have no clue!
THats like saying that if he had written them down on a bit of paper and left it in a bus shelter, its the paper and pen's fault.
No, the guy broke company rules to install the software (presumably Soulseek or soemthing similar) and also was num-nut enough to share a directory containing sensitive information.
Sack the guy - its his fault, not P2Ps, he shouldn't be allowed access to such information if he can't look after it. End of story.
.... what are these companies all doing, letting employees copy such information on to laptops. The only way they should be able to get that kind of info from home (if at all) is over secure VPN access to the application at the other end - certainly not allowing them the ability to download huge batches of sensative data.
It hurts my insides that lazyness seems to always win over security.
Secure VPN from home? Sounds tough, we can just put all this stuff on a CD.
Encryption on the CD? Sounds time consuming, plus what happens if the user forgets their password? We can trust the VP of HR not to be an idiot right?
Sit down with all the VPs and try to tell them what can be counted as idiot behaviour with sensitive data? Nobody really likes to tell VPs what to do, and besides that, they rarely listen.
The whole chain is screwed. This sort of thing has to start from the top down, not from the IT department up, and it has to be backed with some serious penalties for breaking the rules.
I imagine it'll take a decade or two for that sort of thing to become popular...
I see comments berating pfizer for allowing this data on a laptop. My current client has lots of tech savy/security light users, they do stuff like write scripts to go through VPN and pull records from a relatively secure Db to god knows where. I recently found performance issues caused such users hitting our backend for everything they may ever need. They were considerate and did this at time == beforethesparrowfart AM. We are mutlinational.
Not sure where I am going except security is _HARD_ and if someone can read your Db and is half clever (s)he's likely to script it, cache it and enjoy fast access. The half savy users are the killers.
Betcha all a jelly donut that if the law imposed an absolute liability on Pfizer in favor of anyone whose personal data held by them was compromised, say to the tune of $10K each, all of a sudden you'd see senior management taking security truly seriously.
The modern corporate world understands nothing except money. Corporate heads will not take serious steps to abate security problems relating to personal data until they are suddenly hit with costs they can't dodge in the $100 million range. To add piquancy, sting, and bite, the law could provide that if the corporation is unable to pay, the officers and board members are personally liable as well.
Lessee...17,000 employess screwed over, at $10K each...aha! $170,000,000. That'll make them wake up and pay attention. Yeehaw!
And if it takes the bankruptcy of a few corporations and a gaggle of executives to get the point across, that's just the price society has to pay for smartening up the rest.
1. The security officer for not laying down a more thorough policy.
2. The IT dept for not locking down laptops, to prevent users from installing software.
3. Education and Compliance depts to drum the security and acceptable use policies into users, especially those working on data that may well be taken off company premises.
A compny of Pfizer's size can well afford to buy the best security software out there, to ensure that laptop accounts are lock up tight so only approved apps can be used.
As they say, there's no accouting for the ingenuity of a fool!
"ian, possibly the laptop user was a field account manager? Contact management applications like Salesforce typically have a "mini-master" loaded onto the laptop."
In that case, anyone using that software to store sensitive information is a moron, end of. To store sensitive information on a PC in a secure office isn't too bad (you only have break ins and social engineering to worry about) -- but to allow it on a laptop is idiotic.
It's frightening that, in a century where information technology is used by a huge percentage of the population, people still don't understand how valuable data is and how damaging a leak can be.
I work for a top Pharma (not Pfizer), and It's my job to deal with these things. Some points:
1) It wan't the worker, but the worker's *spouse.* Screwup #1 - letting unauthorized persons use the hardware. You DON'T do that.
2) Installing unauthorized software. Screwup #2 - leaving the system open for untrusted persons (like end-user) able to instal software. Only trusted, authorised persons should be able to install software.
3) Laptops have valid use, even for high-security work. People want better drugs for free. This puts pressure on the company to get increased cost/performance. That means Pharmas must cut costs. That means (among other things) fewer staff (my company is cutting many hundreds IT workers, for instance), and remaining staff working longer hours. Rather than work overtime at the office, they take their work home with them, on laptops. This reduces resentment, and increases retention of remaining staff.
It's not the laptop, it's the lack of security on the laptop, and the security breach by the authorised worker, in allowing an unauthorized user access.
My, what a surprise ! It's incredible ! Can you imagine that ? Someone has a laptop, and access to personal information, and all of a sudden we find the personal info on the laptop, and the laptop compromised. How extraordinary ! I mean, it's only the 100th time this has happened, right ? How could anyone ever imagine in their wildest dreams that it would happen, like, again ?
You know what the solution will be ? I don't, but I know one thing : nothing is going to change until the Vice-President of the USA gets HIS details leaked and somehow finds himself with a bad credit rating and tens of millions of debt. THEN, all of a sudden, some laws will be passed and the government will clamp down on the IT security like there's no tomorrow. Meanwhile, there's gonna be a million more incidents like this, likely meaning that whole population of the USA will have had their private details leaked at least once.
Man am I glad I don't live in that country !
Biting the hand that feeds IT © 1998–2021