Report: Pfizer waited to notify employees of data breach


NEW LONDON, Conn. (AP) – Pfizer Inc. let several weeks pass before informing 17,000 current and former employees that their personal information had been posted to the Internet, according to a letter from the company.

Connecticut Attorney General Richard Blumenthal released a copy of the letter Friday, telling The Day newspaper of New London that he will press Pfizer to explain the delay.

The data, which included Social Security numbers and some additional information, was discovered on April 18 when a computer consultant found sensitive information on a peer-to-peer network.

A Pfizer investigation determined the security breach had occurred about three weeks earlier when an employee’s spouse used a company laptop computer to install unauthorized software and access a file-sharing network.

Pfizer did not start notifying the affected people until June 1, and the mailing was not completed until June 6, according to the company’s eight-page letter.

That means the total elapsed time between the breach and notification was more than nine weeks, according to the company’s timeline.

“It certainly seems problematic,” Blumenthal said. “The potential damage to people during that time is very troubling, and (employees) could have taken action themselves (to prevent identity theft) if given proper notification.”

New York-based Pfizer, the world’s largest pharmaceutical company, employs about 5,000 people at its world research and development headquarters in New London and Groton.

Pfizer has not responded to The Day’s requests for additional comments about the data breach, the newspaper reported in Saturday’s editions.

Pfizer said that in addition to personal information, “various types of other information and data related to Pfizer’s pharmaceutical sales business and operations” were exposed to the Internet as a result of the data breach.

“Pfizer takes very seriously its responsibility to secure its data and has many policies, procedures and protections to safeguard personal information,” Pfizer attorney Bernard Nash said in the letter released by Blumenthal’s office.

The letter also emphasized that Pfizer has upgraded several security procedures in response to the data breach, which affected more than 300 Connecticut residents.

“The unfortunate incident has served to help heighten (Pfizer’s) security awareness and attention to data protection,” Nash said in the letter.

In addition to some names and Social Security numbers, other data breaches included disclosure of an unspecified number of home and cell phone numbers, the letter said.

Experian, a credit-reporting agency, is assisting all affected employees with potential credit or identity-theft issues.