There are reports that Pfizer may be in another data breach maelstrom.  According to theday.com, an employee lost a laptop, as well as a flash drive, with information on 13,000 employees at the pharmaceutical company.  The breach itself occurred about a month ago.  There were no details on how the breach itself occurred, nor what type of data protection system was installed.

Pfizer has been in the news over information security breaches quite a few times over the past year.  According to theday.com, this breach is the second this year, and the sixth since May of last year.

Pfizer e-mailed affected employees to let them know that Social Security numbers were not part of the lost data, but that names, home addresses, phone numbers, positions, and salaries may possibly be compromised.  Of course, while this may not be enough to carry out identity theft, it is enough information to possibly carry out some kind of phishing scam—if a criminal gets lucky.  A scam that is going popular around the world right now seems to be the kidnapper’s call.  While no one has actually been kidnapped, a parent gets a call from some stranger claiming they’ve captured their child—pay up now or else.  The panicked parents wire the money; finds the child is safe at school later on; and the criminal is not to be found.  The criminals’ lives become easier if they know how much a person is making before making the call.

Based on the fact that protection measures like passwords and encryption are not mentioned, one would assume that they weren’t in place for the stolen laptop.  Which leads to the question, what has Pfizer been doing for the past year?  Granted, solutions have to match up to the problems, and Pfizer has had a number of different security problems.  Full disk encryption is not going to work when P2P software is the cause for releasing thousands of SSNs, for example. (Although, AlertBoot could help in this instance, since the hard drive encryption solution also allows application control—disallowing the installation of the P2P client, and preventing such a breach in the first place.)

However, a company that has done its homework—especially after being a victim of a data breach—tends to find that there are certain security solutions they need to ensure information security.  For example, the issuance of company laptops to employees tends to point towards the need for laptop encryption.  Data redaction is usually the best solution (in theory); but it is also a nightmare to control and enforce, since you can’t place people to look over other people’s shoulders and monitor their actions 24/7.  Plus, there’s always the question of what should be “redacted.”  In this case, for example, Pfizer may be under the impression that the lack of financial information means this particular information breach is not an occasion for alarm—but, the exclusion of financial information does not mean that Pfizer’s employees will be able to rest at night without any worries.