COVID-19 Vaccine Documents, Personal Data LeakedInformation Stolen From European Medicines Agency
This article has been updated.
Documents on COVID-19 vaccines and medications – including some containing personal information – that were stolen in a cyberattack last month on the EMA said on Jan. 15 that some of the leaked documents have been "manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines."
The agency, based in The Netherlands, evaluates and authorizes medications and vaccines - including those for COVID-19 - in the European Union.
In an statement issued Jan. 12, the EMA says an investigation has determined “that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet.”
The statement notes: “The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access.”
None of the agency’s three previous statements about the incident - including one issued on Dec. 22 saying that the companies concerned had been "duly informed” about the data breach - had mentioned that individuals’ personal data also may have been compromised.
Although the EMA has not named the third parties whose documents were stolen and leaked, U.S.-based Pfizer and Germany-based BioNTech – which have partnered on a COVID-19 vaccine –issued a joint statement in December saying that some documents relating to their submission of the vaccine to the EMA for regulatory approval had been “unlawfully accessed.”
Pfizer and BioNTech declined Information Security Media Group’s request for further comment.
Reuters reported earlier that U.S.-based pharmaceutical firm Moderna, a COVID-19 vaccine developer, also was affected by the EMA cyberattack. Moderna did not immediately respond to ISMG’s request for comment on the incident.
In its latest updated statement, the EMA says it “and the European medicines regulatory network remain fully functional, and timelines related to the evaluation and approval of COVID-19 medicines and vaccines are not affected.”
In its Dec. 22 statement, EMA noted that its ongoing investigation of the cyberattack was being carried out “in close collaboration with law enforcement and other relevant entities.” It said the data breach “was limited to one IT application.”
In that statement, the EMA noted: “The perpetrators primarily targeted data related to COVID-19 medicines and vaccines and unlawfully accessed documents belonging to third parties.”
EMA has not disclosed details about the kinds of documents that were compromised or whether the data was “leaked” on a public website, on the darknet or somewhere else on the internet.
The agency did not immediately respond to ISMG’s request for clarifications.
Mark Hendry, director of data protection and cybersecurity at U.K-based law firm DWF, says Tuesday’s statement from EMA is “the first which has specifically made mention of personal data having been affected - the previous three updates only mentioned documents belonging to third parties without specifying what those documents contained.”
Hendry adds: “One activity that has apparently been commenced by the EMA is to notify individuals whose data has been affected.”
The posting of stolen data on the internet “changes our understanding of the motivations and means of the threat actor behind the attack,” Hendry says. “Data can now be accessed by a whole range of other malicious actors, each with different motivations and techniques for using it to nefarious ends such as identity theft, fraud and other harmful and criminal pursuits.”
Regulatory attorney Alex Reynolds of the law firm Davis Wright Tremaine offers a similar assessment.
“Posting stolen data publicly could create additional risks to the affected company or, if the data contains individuals’ personal information, to the individuals themselves, because an unknown number of other bad actors could access and use the data,” he says. “Depending on the nature of the information, criminals could use it to devise more effective attacks, such as spear-phishing campaigns, against the company or individuals."
Following a cyber incident involving third parties, an affected entity needs to assess whether compromised data sets contained trade secrets or other highly sensitive information, Reynolds says.
The incident could trigger regulatory issues for EMA and the companies whose documents were leaked.
“Laws including the GDPR [EU’s General Data Protection Act], HIPAA and U.S. state data breach notification laws may require companies and public institutions affected by an incident to report it,” he says. “Whether and how affected entities make reports depends on factors such as the type of data affected, residency of the affected individuals and the risk to individuals.”