EU Vaccine Regulator Hacked for Pfizer/BioNTech Info

The European Medicines Agency (EMA) says it was hacked by persons unknown. Data was stolen about the regulatory submission for BNT162b2—the COVID-19 vaccine developed by BioNTech and manufactured by Pfizer.

It’s just the latest in a long list of recent reports about state-sponsored hacks on vaccine-related organizations. And it’s making people’s blood boil (which doesn’t sound too healthy).

AppSec/API Security 2022

Who did it? And why? In today’s SB Blogwatch, we speculate to accumulate.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Painting Bill.


Just a Little Prick

What’s the craic? Jack Stubbs reports—“Hackers steal Pfizer/BioNTech COVID-19 vaccine data”:

 Pfizer and its German partner BioNTech said … documents related to development of their COVID-19 vaccine had been “unlawfully accessed” in a cyberattack on Europe’s medicines regulator. [They] said they did not believe any personal data of trial participants had been compromised.

The two companies said they had been informed by the EMA … “that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate” had been viewed. Such documents could be extremely valuable to other countries and companies rushing to develop vaccines.

The Pfizer-BioNTech vaccine … is already being administered in Britain. The EMA has said it would complete its review by Dec. 29.

And Catalin Cimpanu adds—“EU agency in charge of COVID-19 vaccine approval says it was hacked”:

 EMA is currently in the process of reviewing applications for two COVID-19 vaccines, one from US pharma giant Moderna, and a second developed in a collaboration between BioNTech and Pfizer. … Over the past months, numerous companies working on COVID-19 research and vaccines have been the targets of hackers, and especially of state-sponsored hacking groups.

In November … Microsoft said it detected three nation-state hacking groups (known as APTs) targeting seven companies working on COVID-19 vaccines, singling out Russia’s Strontium (Fancy Bear) and North Korea’s Zinc (Lazarus Group) and Cerium for the attacks. … IBM also reported last week that hackers were looking to compromise companies working in the “cold chain” of COVID-19 vaccines.

More info plz. BioNTech spokesperson Jasmina Alatovic offers rather less than the full story—“Statement Regarding Cyber Attack”:

 Today, we were informed by the … EMA that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2 … had been unlawfully accessed. … At this time, we await further information about EMA’s investigation and will respond appropriately.

Given the critical public health considerations and the importance of transparency, we continue to provide clarity around all aspects of the vaccine development and regulatory processes. Our focus remains steadfast on working in close partnership with governments and regulators to bring our COVID-19 vaccine to people around the globe as safely and as efficiently as possible to help bring an end to this devastating pandemic.

Wait. Pause. Why is EMA’s security so poor? Respect Deputy Cartman’s authority:

 Information pertaining to working vaccines has got to be some of the most sought-after information on the planet right now. One would hope that information directly pertaining to chemical formulas, how to make a vaccine, and so forth are on air-gapped networks with 2FA required at every access point.

However, londons_explore implies this is a non-story:

 There shouldn’t be any private data to steal. We grant these companies patents so they can be open about their tech.

If they have secret data, that really ought to be a reason to withdraw their patent.

Interesting point. Iconoclysm lives up to the pseudonym:

 Sure, unless this means countries that can’t access it end up having their own knockoff vaccines. If it’s going to save lives and stop the spread of the virus, I don’t really care about the patent on a vaccine.

What can be done? Here’s the inevitable answer from gweihir:

 Time to treat these people as terrorists. And I mean hunt them down and lock them up for a long, long time.

Hacking regular companies is one thing, but hacking hospitals, elements of the vaccine-system, etc. is directly and willfully killing people. … It is high time that significant effort is invested in identifying and stopping these people.

There needs to be a clear, red line that they must know to never step over. … Find them and give them a decade or so behind bars to think about the value of human life.

And if some countries do this, or sponsor it or tolerate it, drop them from the global Internet.

But you’ve gotta admire DancesWithBikers’ fancy footwork:

 Out the airlock with them. I realize it’s not practical or cost effective at the bottom of a gravity well, but I think it’s the right thing to do.

Whodunnit? This Anonymous Coward suggestifies thuswise:

 This is most likely cyber-espionage: hermit countries like Iran, China, or North Korea looking to steal Western-developed technology and manufacture a cheaper version. As always.

Meanwhile, a slightly sarcastic swarnie_ narrows it down:

 Just China checking their already 100% working vaccine from months ago is still better.

And Finally:

Painting Bill Gates (because vaccines, obvs.)

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Sara Bakhshi (via Unsplash)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 385 posts and counting.See all posts by richi