Hackers Leak Data Stolen in European Medicines Agency Cyberattack

In December, the European Medicines Agency (EMA) suffered a cyberattack and hackers gained access to third party documents. Some of the data stolen in the attack has now been leaked online.

The EMA is the agency responsible for regulating the assessments and approvals of COVID-19 vaccines, treatments, and research in the EU. The EMA had previously issued an update on investigation into the cyberattack and said only one IT application had been compromised. The EMA said all third parties had been notified about the attack, although those companies were not named. In the updates on the investigation, the EMA said the primary goal of the attackers was to gain access to COVID-19 medicine and vaccine information. While it was clear that documents had been accessed, the EMA has only just confirmed that data was exfiltrated by the attackers.

Prior to the cyberattack, BioNTech and Pfizer submitted their vaccine data to the EMA as part of the approval process and the server accessed by the hackers contained documents related to the regulatory submissions by Pfizer and BioNTech. Pfizer and BioNTech issued a joint statement in December confirming documents relating to their BNT162b2 vaccine had been unlawfully accessed. Moderna has also announced that it was notified by the EMA that data related to its mRNA-1273 COVID-19 vaccine candidate had been accessed by the hackers.

In an update issued on January 12, 2021, the EMA confirmed data had been exfiltrated by the attackers and some of the unlawfully accessed documents related to COVID-19 medicines had been leaked on the Internet. In a further update, the EMA said that prior to leaking the data many of the documents had been manipulated. The posting of the data appears to be part of a disinformation campaign to undermine trust in COVID-19 vaccines, with one poster of the stolen data alleging the Pfizer vaccine is fake.

Neither the EMA, BioNTech, nor Pfizer have disclosed which documents were leaked or what information has been made public; however, Bleeping Computer reported data stolen in the attack had been made available on several hacking forums. Several sources in the cybersecurity intelligence community had confirmed that the leaked data included screenshots of emails, peer review data, and several PDF files, Word documents, and PowerPoint presentations.

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access,” said the EMA. The EMA is working closely with law enforcement agencies to remove and secure the leaked data and identify the individuals responsible for the attack. It is currently unclear who was responsible for the cyberattack and if there is a nation-state link.

The investigation into the attack is continuing, but the EMA has confirmed that there will be no impact on the timeline for the review and approval process for the vaccines.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.