Pfizer COVID-19 vaccine data leaked by hackers
The European Medicines Agency (EMA) has reported that some of the data on the Pfizer/BioNTech COVID-19 vaccine that was stolen during a cyber-attack in early December 2020 was released online illegally shortly after the attack.
The leak was discovered during an investigation that was launched into the attack by the EMA and law enforcement. It is claimed that evidence of the stolen data was found on various hacking forums as early as 31 December. The EMA stated yesterday (13 January) that action is being taken by authorities.
The EMA is a decentralised agency responsible for evaluating, monitoring and supervising new medicines introduced to the EU. As such, it is accountable for approving any COVID-19 vaccines. On 9 December 2020, the EMA released a statement alerting that it had been subject to the cyber-attack.
Pfizer and BioNTech then released a joint statement outlining the nature of the breach: "Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber-attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.”
At the time, it was concluded that only a small number of documents had been accessed, limited to a single IT application as the hackers targeted data relating specifically to the Pfizer/BioNTech COVID-19 vaccine. Nevertheless, according to sources on technology and cybersecurity website BleepingComputer, the threat actors accessed Word documents, PDFs, email screenshots, PowerPoint presentations and EMA peer review comments.
The EMA assured that, despite the breach, its regulatory network is fully operational and that the evaluation and approval of COVID-19 medicines have not been affected by the incident.
THE LARGER PICTURE
The breach of the EMA server is not the only cyber-attack related to COVID-19 vaccines. There has been increasing concern about the safe deployment of the vaccine as cybercriminals attack the vaccine “cold chain”, launching what has been called a “global phishing campaign” against organisations responsible for the transport and sub-zero storage of the vaccine, supposedly in an attempt to gain unauthorised access to private credentials and sensitive information regarding the vaccine’s distribution.
Experian also released a report at the end of 2020 warning of the potential security risks that accompany the technological diversification in healthcare affected by COVID-19. It highlighted the potential risks of overlooking cybersecurity and the increased possibility of misinformation, particularly regarding the COVID-19 vaccine, while Dr Saif Abed also outlined the challenges of cybersecurity during the global mass rollout of the vaccine in a blog for Healthcare IT News.
ON THE RECORD
Responding to the announcement, chief security officer at Cybereason, Sam Curry, called security breaches surrounding the COVID-19 vaccine “diabolical”.
He continued: “Hackers today still see COVID-19 as a strategically valuable asset and it's likely they will for the foreseeable future. Kudos to the pharma and research companies for working with law enforcement agencies to face these threats head on with advanced cyber tools and improved security hygiene. These companies face a new reality each and every day that motivated hackers will be successful every time they attempt to hack a company because they are well funded and are looking to reap both financial and political fame. As the protection surface expands to mobile, the cloud and other potential attack vectors, those companies that can detect a breach quickly and understand as much as possible about the hacking operation itself, will be able to stop the threat and minimize or eliminate the risk all together."