UPDATE: Jan. 15, 2021: Malicious actors manipulated COVID-19 vaccine data prior to leaking the information stolen in a cyberattack last year, the EMA said on Friday. "Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines."
The compromised data included internal and confidential emails since November, before EMA disclosed the intrusion in December, the agency said.
The EMA said drug authorizations "are granted when the evidence shows convincingly that the benefits of vaccination are greater than any risks of the vaccine." The agency maintains the cyber incident has not impacted its work.
UPDATE: Jan. 12, 2021: The actors behind the EMA cyberattack have leaked data related to COVID-19 medicines and vaccines, the agency disclosed on Tuesday. The compromised data included vaccine data from Pfizer and BioNTech's COVID-19 vaccine candidate.
The European medicines regulatory network is "fully functional and timelines related to the evaluation and approval of COVID-19 medicines and vaccines are not affected," the EMA said.
An investigation is ongoing and law enforcement has yet to name a perpetrator. The "necessary action is being taken by the law enforcement authorities," the EMA said.
- Netherlands-based European Medicines Agency (EMA) disclosed a cyberattack Wednesday, though the extent of its impact is still unknown. "EMA cannot provide additional details whilst the investigation is ongoing. Further information will be made available in due course," the agency said.
- The EMA evaluates and approves drug submissions for the EU. And following the attack, Germany-based biotechnology company BioNTech said data regarding "regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2" was illegally accessed, according to a company announcement.
- The compromised data was stored on EMA's server, though systems directly owned by BioNTech and Pfizer were not breached. The EMA didn't disclose when the initial intrusion took place. The regulator told BioNTech the cyberattacks "will have no impact on the timeline for its review." BioNTech found no sign personal data of study participants was compromised, but the company is waiting on EMA's investigation and is working with EU regulators on next steps.
Cyberattacks could further erode the public's trust in not only the vaccine's efficacy, but its safe distribution. About 40% of Americans say they "definitely or probably would not" get the vaccination, according to a study by Pew Research.
The cybersecurity industry has focused on protecting supply chains within companies developing a vaccine, from informational and operational technology environments.
"What we had been thinking through at [Cybersecurity and Infrastructure Security Agency] was not just the vaccine developers, but their entire supply chain, and really trying to look through those critical weak spots," said former CISA Director Chris Krebs on Face the Nation Sunday. "We call it the ball-bearing strategy."
Last week IBM Security X-Force found "a global phishing campaign targeting organizations associated with a COVID-19 cold chain." The phishing operation began in September and targeted organizations within Gavi, The Vaccine Alliance's Cold Chain Equipment Optimization Platform (CCEOP) program, according to IBM's research.
The phishing campaign impersonated the CEO of the "world's only complete cold chain provider" within the CCEOP.
As of November, Moderna's vaccine, which relies on a cold chain to remain stable, is supported by existing infrastructure. Pfizer and BioNTech's vaccine requires dry ice for maintenance. The dry ice requirement could impede on its distribution, reported Cybersecurity Dive's sister publication Supply Chain Dive.
The focus on the supply chain was part of CISA's mission within Operation Warp Speed, in addition to ensuring public trust of a vaccine. "It's not just about Moderna and some of the others that are developing the vaccine. It's their supply chains, it's the distribution channels, public health institutions," said Krebs.
IBM suggests the perpetrator is a nation-state actor, and transportation of the vaccine is potentially "a hot black-market commodity," according to researchers.
Securing the supply chain includes reviewing access rights, access control systems, adopting a zero trust architecture and training personnel. The emails contain malicious HTML attachments which require targets to input their credentials to view. The method circumvents traditional phishing detection techniques.