Documents and other material related to the Pfizer/BioNTech Covid-19 vaccine have been stolen in a confirmed cyber attack on the European Medicines Agency (EMA), which has launched a full investigation alongside law enforcement and other security professionals.
The European Union body – formerly located in the UK but lost to the Netherlands due to Brexit – is responsible for facilitating the development of and access to medicines, evaluating applications for marketing authorisation, monitoring the safety of medicines across their lifecycle, and provide information to healthcare professionals and the public.
Like any organisation in the healthcare sector, it has been particularly vulnerable to compromise by malicious actors during 2020, thanks to the Covid-19 pandemic, and its close involvement with the approval of vaccines against the coronavirus.
In a statement, the agency said it will not be providing any additional details whilst its investigation is ongoing, but committed to making further information available “in due course”.
A spokesperson for BioNTech said: “Today, we were informed by the EMA that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s Covid-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.
“It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.
“At this time, we await further information about EMA’s investigation and will respond appropriately and in accordance with EU law. EMA has assured us that the cyber attack will have no impact on the timeline for its review,” they said.
BioNTech added that its own focus remained “steadfast” on working in close partnership with both governments and regulators to bring its Covid-19 vaccine – which is already available in the UK and has been found to be 95% effective in granting immunity to the virus – to as many people as possible.
Mikko Hyppönen, chief research officer at F-Secure, commented: “Intelligence agencies have a job of defending their nations from outside threats. In that sense it’s not surprising to see intelligence agencies try to steal vaccine research data, if they see Covid-19 as one of those outside threats and if they believe that stealing research data makes it easier to defend their nations.
“BioNTech was able to defend their research as long as it was on their own systems.,” he said. “However, there’s nothing they could do to protect their research data when it was going through regulatory processing on governmental systems. Attackers will find the easiest way to gain access to the data they are after.”
Mark Hendry, director of data protection and cyber security at legal practice DWF, said the lack of further information as to the precise nature of the attack on the EMA was entirely understandable while investigations and preliminary response measures are ongoing.
“Despite some ransomware attack groups making public statements regarding a ceasefire against organisations operating in the health sector during the Covid-19 pandemic, these organisations and sectors have continued to experience cyber-attacks,” he said. “Attacks originate from threat actor groups ranging from criminal ransomware operators to nation state attackers, each with different capabilities and motives.
“Cyber attackers will often lie in wait for the opportune moment, releasing their attack at the point in time when they perceive cyber defences of their target to be weakened and/or when an attack can cause maximum disruption and impact,” said Hendry.
“In this particular example, it comes at a time when the organisation is heavily involved in the vital Europe-wide mission to limit, treat, and vaccinate against Covid-19. In other examples, an attack might be planned and executed when a company is about to launch a new product to market, enter the busiest retail period of the year, or undertake a company acquisition or merger.”
Hendry said that increasing awareness of the mindset of cyber criminals was highly important in anticipating, preparing for and defending against attacks, and urged organisations to consider identifying the planning for major global events – such as Covid-19 – that might cause them to become a target for attack, and ensure that robust defences based on people, processes and technology were in place to thwart them.
The attack on the EMA comes just days after researchers at IBM’s X-Force security unit revealed that elements of the Covid-19 vaccine supply chain were coming under sustained attack by a nation-state backed group.
This campaign has been active since September 2020, and is targeting organisations associated with the cold chain – the part of the supply chain that ensures the preservation of vaccines in temperature-controlled environments when they are being transported.
There is currently no indication or evidence to suggest the attack on the EMA is the work of the same group, or whether or not it was perpetrated by a cyber criminal gang operating independently, or operatives of a state-backed entity.