Getty Images/iStockphoto

Pfizer, BioNTech COVID-19 Vaccine Data Breached in EU Regulator Hack

The cyberattack on an EU regulator and subsequent breach of Pfizer and BioNTech COVID-19 Vaccine Data should serve as a warning to the US healthcare sector.

Data on the first authorized COVID-19 vaccine from Pfizer and BioNTech has been breached after a successful, targeted cyberattack on the European Medicines Agency (EMA), a regulatory agency, EMA, BioNTech, and Pfizer officials confirmed.

The EMA is tasked with vaccine assessments and approvals for the European Union. The pharma companies submitted their COVID-19 vaccine to the regulator for approval earlier this month. A meeting to determine the vaccine’s conditional approval is scheduled for the end of December.

The vaccine was issued a temporary authorization for emergency use in the UK on December 2.

EMA confirmed the agency was targeted by a cyberattack on Wednesday, December 9. The threat actors were able to access some documents related to the regulatory submission for Pfizer and BioNtech’s COVID-19 vaccine candidate, BNT162b2, which was stored on an EMA server.

The notices did not explain whether the hackers were able to exfiltrate the data during the attack. The network of BioNTech and Pfizer were not breached during the incident.

The regulatory agency launched an investigation with assistance from law enforcement and other relevant agencies to determine the scope of the incident but provided no further information.

BioNTech and Pfizer officials said there’s currently no evidence that personal information tied to vaccine trial participants had been breached during the attack. And officials said they don’t believe the hack will impact the vaccine rollout, which is already being administered in the UK.

The UK National Cyber Security Centre, a frequent partner of the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency, is assisting with the investigation into the attack.

"The NCSC is supporting vital vaccine research and manufacture to defend against cyber threats,” officials said in a statement. "We are working with international partners to understand the impact of this incident affecting the EU's medicine regulator, but there is currently no evidence to suggest that the UK's medicine regulator has been affected."

While the attack was directed on an EU agency, the cyberattack should serve as a warning for the US healthcare sector as it continues work on its own on COVID-19 research, vaccines, and treatments.

Federal agencies and security researchers have continued to warn that nation-state threat actors and other cybercriminals will continue targeted attacks on valuable coronavirus-related data in a continued effort to take advantage of the global pandemic.

AstraZeneca employees recently confirmed that nation-state threat actors with ties to North Korea had launched a mass phishing campaign in an effort to gain access to the pharma giant’s network, while hackers with ties to China previously attempted to steal COVID-19 vaccine data from Moderna, following an announcement that the firm entered its final phase of investigational vaccine trials.

Meanwhile, an earlier report from Microsoft both North Korean and Russian hackers have been actively targeting COVID-19 research firms, including those tasked with vaccine development. Previous federal alerts shed light on these nation-state hacking efforts, which include phishing attempts, credential theft, and the exploitation of known vulnerabilities.

Unsurprisingly, cybercriminals have steadily worked to take advantage of the global pandemic in the US, beginning shortly after the national emergency status announcement.

The World Health Organization was unsuccessfully targeted in March, but Hammersmith Medicines Research, 10x Genomics, a host of other research firms, and dozens of US health systems were not as lucky.

It’s imperative that US healthcare entities and research firms review their security policies and procedures, as well as business continuity and disaster recovery plans, to prevent falling victim to one of these attacks. As the successful hack on leading cybersecurity firm FireEye shows, no organization is safe from cybercriminals.

Next Steps

Dig Deeper on Healthcare data breaches