Personal data on 17,000 current and former employees of pharmaceutical giant Pfizer have been exposed by a member of staff who installed unauthorised file-sharing software on a company laptop.
The data on 15,700 staff has already been accessed and copied by an unknown number of people on a peer-to-peer network, the company said in a letter sent to affected employees. The exposed information included social security numbers.
Pfizer was not available for comment. But copies of the letter were posted on several websites, including Pharmalot, a blog covering the pharmaceutical industry.
The incident has prompted an investigation by the attorney general in the US state of Connecticut, where 305 of the affected Pfizer staff live. Attorney general Richard Blumenthal asked Pfizer to provide details on the data protection measures in place before the breach, when the company discovered the breach and how it responded.
Blumenthal's letter also asked Pfizer to describe how it was able to make a distinction between data that was actually compromised and data that might only potentially have been accessed. He gave Pfizer until 22 June to respond.
The 1 June letter sent by Pfizer to its staff, which was signed by the company’s general counsel, Lisa Goldman, did not mention how Pfizer discovered the breach. But as soon as it did, the company recovered the laptop from the employee and the file-sharing software was disabled, she said.
No other data was compromised because the system was being used to access the internet from outside Pfizer's own network.
Pfizer has signed up for a support and protection package from credit reporting agency Experian for all affected staff, Goldman said. The packages include a year's free credit monitoring and a $25,000 (£12,500) insurance policy covering costs that individuals might incur as a result of the breach, Goldman noted.=