Massive data leak due to misconfigured cloud storage

About 100 patients have had their personal and medical data exposed online because of a data leak.

They have in common the use of Pfizer drug. A drug that is used by prescription in the United States. The leak was reportedly caused by a configuration problem in a Google Cloud Storage Bucket.

This article will also interest you: The hosting of health data by Microsoft: a tension still relevant in France

This is one more case that challenges these incidents, which are becoming more and more common. Indeed, it is not uncommon for data leaks to be caused by database configuration problems or cloud storage systems. And that is really problematic. We will remember from this that it is not only computer attacks that are the unique causes of data leaks and exposures of private information. And unfortunately the poor database configurations, as in many cases throughout this year, have caused much more exposures of private data. For the pharmaceutical group was exactly what happened. Information related to prescription drugs, for more than 100 patients across the United States has been exposed freely online. Confidential information must be admitted. Especially related to conversations between the American giant's automatic customer support software and some people using particular drugs such as Premarin, Viagra, Chantix, Lyrica and the treatments used for cancer Ibrance, Aromas in and Depo-Medrol.

The leaked data consists of personal information such as names and surnames, location information such as home addresses, phone number emails and other medical information.

"In this case, the exposed files were stored on a misconfigured Google Cloud Storage Bucket. Google Cloud Storage is different from Google Drive, providing service specifications for enterprise platforms and corporate customers," notes VPN Mentor, who initiated the discovery. "Initially, we suspected that the misconfigured Bucket was linked to only one of the brands of drugs on display. However, after further investigation, we found files and entries related to various brands belonging to Pfizer. Finally, our team concluded that the Bucket probably belonged to the company's US Drug Safety Unit (DSU). Once our investigation was complete, we contacted Pfizer to present our findings. It took two months, but eventually we received a response from the company."

The company means that these configuration errors are not isolated cases.Indeed the discovery of the data leak of the American pharmaceutical giant was made in a large framework of web mapping carried out by the VPN solution supply company. It was first discovered in July 2020, so three months ago. The U.S. company was reportedly notified three days later, with two relaunches on July 19 and September 22. It was at the insistence of VPN mentor that the pharmaceutical group finally responded, and used corrective action from September 23, 2020.

Unfortunately this kind of configuration error seems to persist in the middle. And several examples can be cited:

– in 2017 the Accenture case

– in 2019 the American bank Capital One

Several cloud storage providers, faced with this repetition of configuration error, have in place several tools to control access. This is also the case for Amazon Web Services, with the Zelkova and Tiros tools, since 2018. Google, for its part, has also proposed a set of practices and precautions to follow in order to protect against this kind of data leak. This protocol includes the addition of plural authentication measures, with restrictions on bucket access. "Refrain from recording users' sensitive personal data unless necessary. If logging of this data is necessary, it must be encrypted or at least hidden in accordance with the highest security standards," says VPN Mentor.

Now access an unlimited number of passwords:

Check out our hacking software