A letter from Pfizer's attorney to Connecticut attorney general Richard Blumenthal shows the drug maker first learned of a data breach involving about 17,000 of its employees on April 18 -- six weeks before the company started notifying them of the incident on June 1.
The 11 July letter also said that that a "small group" of additional individuals may have been affected by the breach, in addition to the 17,000 that was originally reported.
Nash's letter was in response to a note Blumenthal has sent on 6 June to Pfizer. In it Blumenthal sought a full explanation of the circumstances surrounding the breach, which saw personal data belonging to about 17,000 Pfizer workers exposed by a file-sharing program that had been illegally installed on a company laptop.
According to Pfizer's original notice, about 15,700 individuals actually had their data accessed and copied by an unknown number of persons on a peer-to-peer network. The company said that while data on the rest of the affected individuals might have been exposed, it could not confirm if the information had actually been copied.
Among the issues that Blumenthal sought clarifications on were the measures that Pfizer had in place prior to the breach to protect against data compromises, as well as information about when the company discovered the breach and how it responded to the incident. Blumenthal's letter also asked Pfizer to describe how it was able to make a distinction between the data that was actually copied and data that might only potentially have been accessed.
In his formal response on Pfizer's behalf, Nash said that Pfizer learned of the incident on 18 Apri when an independent computer consultant informed the company that he had found Pfizer data on a peer-to-peer network.
The compromise occurred on 26 March when the spouse of a Pfizer employee used the employee's password to access the computer and install an unauthorised file-sharing software program on it, Nash said. He however offered no explanation on why the company waited till June 1 to inform those affected by the breach.
"That software was configured by the spouse so that other users of the file-sharing network could access certain files that the spouse had stored in the employees' laptop," Nash said. "Unfortunately, the software configuration also allowed users of the file-sharing network to access certain other files – Pfizer files – contained on the laptop," Nash noted in his letter.
In addition to the personal data on Pfizer employees, other information pertaining to the company's pharmaceutical sales business and operations was compromised, he said.