Processing Magazine

Pfizer waited weeks to notify employees of data breach

July 16, 2007

The Associated Press reports that Pfizer Inc. let several weeks pass before informing 17,000 current and former employees that their personal information had been posted to the Internet, according to a letter from the company. Connecticut Attorney General Richard Blumenthal released a copy of the letter, telling The Day newspaper of New London, Connecticut that he will press Pfizer to explain the delay. The data, which included Social Security numbers and some additional information, was discovered on April 18 when a computer consultant found sensitive information on a peer-to-peer network. A Pfizer investigation determined the security breach had occurred about three weeks earlier when an employee''s spouse used a company laptop computer to install unauthorized software and access a file-sharing network. Pfizer did not start notifying the affected people until June 1, and the mailing was not completed until June 6, according to the company''s eight-page letter. That means the total elapsed time between the breach and notification was more than nine weeks, according to the company''s timeline. New York-based Pfizer, the world''s largest pharmaceutical company, employs about 5,000 people at its world research and development headquarters in New London and Groton.