Global pharmaceutical company Pfizer exposed the personal information of hundreds of prescription drug users in the US by failing to secure a Google Cloud Storage bucket, according to teiss. This misconfigured bucket, discovered by security researchers at vpnMentor, stored conversations between Pfizer’s automated customer support software and its customers.
According to the researchers, most likely belonged to Pfizer’s US Drug Safety Unit (DSU) and contained transcripts between users of various Pfizer drugs and the company’s interactive voice response (IVR) customer support software.
If threat actors had located this gold mine of private and highly personal data, it is highly likely that it would have been exploited with effective follow-on phishing scams. Targeting victims with extremely personal data can be very effective as those affected believe there would be no other way to locate such information. The sender instantly gains the trust of the victim and further damage can quickly occur such as loss of money or even extortion.
Employing ethical hackers to constantly scan for easy-to-locate data which has been mistakenly placed wide open on the internet can be a very effective way of clamping down on such errors. Internal security staff are usually focused on looking for internal vulnerabilities but often data can leak into the internet which could do a lot of damage should a malicious actor locate it.