The European Medicines Agency has confirmed that malicious hackers behind the cyber attack, that targeted its server in December, have leaked documents related to COVID-19 medicines and vaccines online, thereby severely compromising the intellectual property associated with the vaccines.
On 9th December, the European Medicines Agency, which is responsible for evaluating and monitoring medicines within the EU and the European Economic Area (EEA), announced that it was the subject of a cyber attack that enabled hackers to get their hands on documents related to the development of a Covid-19 vaccine.
Soon after EMA announced the cyber attack, drugmaker BioNTech said that it was informed by the EMA that hackers were able to access "documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2". The stolen documents were stored in an EMA server before being accessed by hackers.
When the cyber attack took place, EMA was in the process of granting conditional marketing authorisation to BNT162b2, a COVID‑19 mRNA vaccine developed by BioNTech and Pfizer, as well as mRNA1273, a COVID-19 mRNA vaccine by Moderna Biotech Spain, S.L.
Earlier today, the European Medicines Agency said that investigation into the December cyber attack revealed that "some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet."
"The Agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access.
"The Agency and the European medicines regulatory network remain fully functional and timelines related to the evaluation and approval of COVID-19 medicines and vaccines are not affected. EMA will continue to provide information in due course, to the extent possible, given its duty towards the ongoing investigation," it added.
The cyber attack, however, failed to affect authorisations for BNT162b2, the COVID‑19 mRNA vaccine developed by BioNTech and Pfizer. A day after the cyber attack was announced, the U.S. FDA granted Emergency Use Authorization (EUA) for the vaccine in the United States, and on 16th December, BioNTech signed an agreement with Shanghai-based Fosun Pharma to supply an initial 100 million doses to China.
On 19th December, BioNTech received Conditional Marketing Authorisation from Swissmedic in Switzerland for BNT162b2, also known as Comirnaty, and a couple of days later, received Conditional Marketing Authorisation from the European Commission to administer Comirnaty to individuals 16 years of age and older across Europe.
In the next few days, BioNTech secured orders for the supply of a total of 200 million doses of the vaccine from the United States and 300 million doses of the vaccine from the European Union.
Commenting on hackers leaking documents associated with Comirnaty, Sam Curry, the chief security officer at Cybereason, said that the actions of many nation-state actors and other rogue hacking groups to steal vaccine research and disrupt the supply chain delivering the vaccines should be considered acts of war.
"With news of the recent leak of sensitive COVID-19 information from the European Medicines Agency, and specific vaccine data from Pfizer and BioNTech, the question that begs an answer is why? Because hackers today still see COVID-19 as a strategically valuable asset and it's likely they will for the foreseeable future," Curry said.
"Kudos to the pharma and research companies for working with law enforcement agencies to face these threats head on with advanced cyber tools and improved security hygiene. These companies face a new reality each and every day that motivated hackers will be successful every time they attempt to hack a company because they are well funded and are looking to reap both financial and political fame.
"As the protection surface expands to mobile, the cloud, and other potential attack vectors, those companies that can detect a breach quickly and understand as much as possible about the hacking operation itself, will be able to stop the threat and minimize or eliminate the risk altogether."