Bernard Nash, an attorney for the world's largest drug maker, said in a letter to the Attorney General that another company sent a package to Pfizer on July 6 that contained a DVD with Pfizer data on it. The information had been found on a computer that the company, which went unnamed in the letter, had assigned to a worker who had formerly been employed at Pfizer, according to Nash's Sept. 21 letter.
After reviewing the information, Pfizer "became aware" that personal information from the Pfizer network was on the DVD, Nash wrote. The company notified a federal prosecutor on Aug. 17 "to explain Pfizer's investigatory efforts, discuss the possibility of prosecution of the responsible individual, and receive input on the most productive use of Pfizer's investigative resources."
A source close to the investigation told InformationWeek that the AG's office is investigating the matter.
Nash's letter noted that the company's network was not breached. "The individual who accessed the data in Pfizer's computer system was, at the time of the access, authorized to do so," he wrote. "The wrongful removal of the data from Pfizer was a violation of Pfizer policy, but no breach of the computer security system occurred."
It was not noted why the person stopped working at Pfizer or where the individual began working next.
Nash reported that the incident compromised employee information, including name, Social Security number, address, cell and home phone numbers, credit card numbers, bank account numbers, driver's license numbers, birth dates, and even signatures.
In mid-August, Pfizer alerted Connecticut Attorney General Richard Blumenthal of the May theft of two company laptops containing personal information of 950 people. It was the second time in two months that a security breach at Pfizer has put the personally identifying information on current and former employees at risk. The earlier security breach exposed information on 17,000 people.
It is not yet clear if Nash's letter about the former employee relates to either of these two breaches or to another breach.
Pfizer could not be reached for comment.
The news comes within a week of online brokerage TD Ameritrade Holding Corp. announcing that a hacker broke into one of its databases and stole personally identifying information on its 6.3 million customers.