The European Medicines Agency recently suffered a cyber attack that enabled hackers to get their hands on documents related to the development of a Covid-19 vaccine developed jointly by Pfizer and BioNTech.
The European Medicines Agency, which is responsible for evaluating and monitoring medicines within the EU and the European Economic Area (EEA), announced the cyber attack in a brief statement posted to its website on Wednesday, stating that it had launched a full investigation into the incident along with law enforcement and other relevant entities.
"EMA has been the subject of a cyberattack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities. EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course," it said.
While EMA has been tight-lipped about the fallout of the cyber attack or even the motives behind the attack, drugmaker BioNTech said today that it was informed by the EMA that hackers were able to access "documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2".
According to BioNTech, the documents accessed by hackers were stored on an EMA server, and that no BioNTech or Pfizer systems have been breached in connection with this incident. "At this time, we await further information about EMA’s investigation and will respond appropriately and in accordance with EU law. EMA has assured us that the cyber attack will have no impact on the timeline for its review," it said.
On 1st December, the European Medicines Agency said it had received an application for conditional marketing authorisation (CMA) for BNT162b2, a COVID‑19 mRNA vaccine developed by BioNTech and Pfizer. The agency said that as it had already reviewed some data on the vaccine during a rolling review, the assessment of BNT162b2 will proceed under an accelerated timeline.
On the same day, EMA said it had also received an application for conditional marketing authorisation for mRNA1273, a COVID-19 mRNA vaccine by Moderna Biotech Spain, S.L. EMA had previously conducted a rolling review o the vaccine and said its opinion on the marketing authorisation could be issued within weeks.
EMA is also conducting a rolling review of Ad26.COV2.S, a COVID-19 vaccine from Janssen-Cilag International N.V. that will involve an assessment of the vaccine’s compliance with the usual standards for effectiveness, safety, and quality. The company has not revealed yet if the cyber attack targeting EMA compromised its COVID-19 vaccine research data.
While it is not known when the cyber attack took place, we can assume it took place in the first week of December as BioNTech had submitted its application for conditional marketing authorisation on the 1st. On 3rd December, EMA had also announced that its corporate website (www.ema.europa.eu) will be briefly unavailable due to essential maintenance.
Responding to the cyber attack targeting EMA servers, GCHQ's National Cyber Security Centre said it is "working with international partners to understand the impact of this incident affecting the EU's medicine regulator, but there is currently no evidence to suggest that the UK's medicine regulator has been affected."
Commenting on the cyber attack, Carl Wearn, Head of E-Crime at Mimecast, said its crucial for COVID-19 vaccine research organisations, healthcare agencies, and companies involved in the manufacturing and delivery of vaccine to put the right measures in place to safeguard their networks and data as it’s almost certain that cyberattacks against companies involved in the COVID vaccine supply chain will continue and even increase.
"From patient data to highly sensitive IP related to the treatment of COVID, the medical industry is a goldmine for hackers, and it needs to ensure it has strong cybersecurity in place. This starts with putting cybersecurity at the heart of their digital services, training employees, and partners about cyber hygiene habits and being vigilant at all times. We shouldn’t underestimate how challenging this last pillar is when the industry is under high pressure to deliver a treatment faster than ever before, which requires extensive collaboration from all parties and long hours for workers.
"We should celebrate the fact the medical industry has responded to a global pandemic in the most effective way possible and as quickly as possible. Implementing stringent cybersecurity processes and best practice would enable it to mitigate cyberattacks more effectively, wherever they come from, and whatever format they take," he added.