Breach Notification , COVID-19 , Governance & Risk Management

EU Vaccine Approval Agency Investigating Cyberattack

Incident Comes as Government Agencies Warn of Cybercrime Related to COVID-19
EU Vaccine Approval Agency Investigating Cyberattack

This developing story has been updated twice.

See Also: Cyber Insurance Assessment Readiness Checklist

The European Medicines Agency, which helps evaluate and authorize medicines and vaccines – including those for COVID-19 – in the EU acknowledges it has been hit with a cyberattack.

In a brief statement Wednesday, the Netherlands-based agency said: “EMA has been the subject of a cyberattack. The agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities. EMA cannot provide additional details whilst the investigation is ongoing.”

The agency declined Information Security Media Group’s request for additional details about the attack, but says it is "fully functional and work continues."

EMA is working on approval of two COVID-19 vaccines, which it expects to conclude within weeks, the BBC notes.

In a joint statement issued Thursday by pharmaceutical makers BioNTech and Pfizer, which are partnering on their COVID vaccine, the two companies said "some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed. ... No BioNTech or Pfizer systems have been breached in connection with this incident, and we are unaware that any study participants have been identified through the data being accessed."

Then on Dec. 14, news service Reuters reported that pharmaceutical firm Moderna was also informed by EMA that some of its COVID-19 vaccine related documents were also accessed in the hacking incident.

On Thursday, the EMA is scheduled to brief members of the EU's Public Health Committee on the status of COVID-19 vaccines expected to receive authorization, the BBC reports.

BioNTech and Pfizer in their joint statement said "EMA has assured us that the cyberattack will have no impact on the timeline for its review" of their COVID-19 vaccine.

The incident follows a string of recent advisories from global law enforcement and other government agencies, including the Department of Homeland Security in the U.S. and Europol and Interpol in the EU, warning of cybercriminals targeting COVID-19 supply chain and related organizations.

Growing Target

The attack on the EMA is “unsurprising” because there have been so many attacks against medical and healthcare organizations worldwide, says Mark Hendry, director of data protection and cybersecurity at global legal firm DWF, based in the U.K.

”What is unknown at this time is the identity of the perpetrator, whether they are an advanced persistent threat actor and whether the attack is … directly linked to other attacks we have seen on governmental, research and health-related organizations throughout the pandemic,” he says.

Retired FBI supervisory special agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP, offers a similar assessment.

”As the health and financial value of COVID-19 vaccines moves to the forefront of society, it is inescapable that criminal and cyberthreat actors are laser-focused on attempting both obvious and deliberate attacks against COVID-19 vaccine makers,” he says. “Additionally, it is becoming patently obvious that many of these attacks are being instigated by hostile nation-state threat actors, as well.”

Global Warnings

Europol and Interpol last week issued notifications warning of a potential surge in organized crime activity tied to COVID-19 vaccines (see: Interpol: Organized Crime to Capitalize on COVID-19 Vaccines ).

And in the U.S., the DHS’ Cybersecurity and Infrastructure Security Agency last week also issued an advisory citing a new report by IBM warning organizations involved in COVID-19 vaccine production and distribution of a global phishing campaign targeting the cold storage and transport supply chain (see: Phishing Campaign Targets COVID-19 'Cold Chain').

Many vaccines in development - including coronavirus vaccines - must be kept at low temperatures before being administered.

IBM says a spear-phishing campaign, which started in September, spans six countries and targets organizations and agencies that support the Cold Chain Equipment Optimization Platform program. That program was launched in 2015 by the United Nations Children's Fund and other partners to distribute vaccines.

The COVID-19 "cold chain" phishing campaign aims to harvest account credentials at companies involved with vaccine production, storage and distribution, IBM reports.

The U.S. Federal Trade Commission on Tuesday issued an advisory warning about COVID-19 scammers and potential identity thieves as vaccines are expected to hit the distribution pipeline by year-end.

”While we wait for a timeline and more information, there’s no doubt scammers will be scheming,” the FTC says.

Taking Action

With cybercriminals targeting entities involved in COVID-19 vaccine development and distribution, organizations must be prepared to deal with potential attacks.

”Where possible, seek to understand the methods used to attack and disrupt organizations in your sector and be ready to defend against common types of attack and deal with the disruption they inevitably cause when they arrive,” Hendry says.

”In the case of organizations on the front line of vaccination deployment, it would be prudent to consider redundancy planning - for instance, the use of alternative facilities and equipment, which may involve redundancy partnering relationships with other organizations fulfilling a similar role to your own,” he suggests.

COVID-19 vaccine providers and others need to protect their IT and OT networks, "especially with the growing threat of disruptionware attacks, which include a broad variety of cyberattacks including the most common: ransomware attacks focusing on the encryption and exfiltration of this critical data,” Weiss says.

”These growing threats are even more dangerous now that most of the transactional criminal organizations and cyberthreat actors, both within the United States and around the world, are laser-focused on disrupting, stealing or delaying the COVID-19 vaccine and its distribution in the hopes of a major payday. Throw in the certainty of insider threat actors hired by these criminal and cyber actors, and security will be paramount to get this vaccine out to the world safely and effectively.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.