Search Slyck  
Pfizer P2P Security Breach
June 20, 2007
Thomas Mennecke
Font Bigger Font Smaller
It’s the same story we keep hearing over and over again. Go on just about any spoon-feeding P2P network, such as FastTrack and Gnutella, and conduct a search for a personally oriented file such as “resume” and there’s bound to be hundreds – if not thousands – of results.

It’s part of an epidemic in the file-sharing community – the irresponsible and unknowledgeable use of P2P applications. P2P applications by their very nature aren’t difficult to use. The easiest clients to use, such as Kazaa or LimeWire, generally appeal to those whose computer skills are inferior to those who prefer more advanced networks such as BitTorrent, eDonkey2000 or Usenet. And those inferior computer skills manifest themselves with the irresponsible usage of P2P clients.

During the installation process, these clients generally streamline the process by asking the end user what folder(s) he or she wishes to share. The shared folder interface often times looks like something from the days of PC Tools, and can be confusing to novice computer users. As a result of this confusion and/or lack of experience, users often times choose to share their entire root directory. In other words, they choose to share the entire “C:\” drive. At this point everything – including the contents of “My Documents”, emails, naughty pictures, and the family pet – is shared over the P2P network.

P2P networking is often primary blamed for this type of security breech. Many high profile events have stemmed from such misusage, from the sharing of secrete military documents, social security numbers, and other sensitive documents. While its easy enough to blame P2P, since its already “responsible” for the decline of the music industry, the death of CD sales, and unfettered movie piracy, the technology often appears as the scapegoat for security vulnerabilities.

Yet the latest news from the drug manufacturer Pfizer indicates that once again, it’s the end user who is responsible for a massive security breach. The actions of one individual caused over up to 16,950 past and present Pfizer employee’s sensitive personal information to be shared on an undisclosed P2P network.

According to a correspondence from Pfizer’s legal counsel to the Attorney General of New Hampshire, an employee brought the laptop home, where the individual’s spouse installed the P2P application and proceeded to inadvertently share the computer’s contents.

“The [unauthorized] software allowed outsiders access to a number of files that include the names and social security numbers of the affected Pfizer employees. Based upon Pfizer’s thorough investigation to this point, it appears that the affected employees can be grouped into two categories – approximately 15,700 who actually had their data accessed and copies, and approximately 1,250 who may have had their data accessed and copied.”

It’s important to note that certain software is unauthorized on company equipment. P2P software usually falls under this category. The P2P software in question didn’t magically install itself and begin sharing sensitive documents. An individual manually downloaded and installed the program, while inadvertently permitting the client to share sensitive information.

Because of this, the nearly 17,000 Pfizer employees will receive a heartwarming letting dictating that their identities have been compromised on a P2P network.

“The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home. Due to the unauthorized installation of certain file sharing software on the laptop, files stored in the laptop containing names, social security numbers, and in some instances, addresses and bonus information of approximately 17,000 present and former Pfizer colleagues, were exposed to one or more third parties. Our investigation revealed that certain files containing your data were accessed and copied.”

Pfizer’s letter included advice on how to protect the compromised individual’s identity, as their investigation yielded “one or more” third parties may have downloaded the information. While most people who look for such information do so for laughs and giggles, 17,000 compromised identities is a substantial security breach. However personal behavior and responsibility, not P2P, is the real determining factor in whether such events repeat themselves.

This story is filed in these Slyck News categories
File-Sharing/P2P Related :: Other
Technology News :: Security

You can discuss this article here - 9 replies

© 2001-2019