Hackers access Pfizer-BioNTech vaccine data in attack on European Medicines Agency

The breach is not expected to impact the timeline for the review of the vaccine

The European Medicines Agency (EMA) disclosed on Wednesday that it has suffered a cyber-attack, leading to unauthorised access to documents relating to a Covid-19 vaccine.

The EMA is the regulatory body responsible for approving vaccines in the EU. It was previously headquartered in London, but moved to Amsterdam following the Brexit vote.

The Agency is currently considering requests for conditional authorisation for several Covid-19 vaccines to be used in the EU.

Following the disclosure from the EMA, German biotech firm BioNTech released a statement on its website, revealing that the criminals behind the attack were able to access confidential documents relating to regulatory submission for BioNTech and Pfizer's Covid-19 vaccine candidate, BNT162b2. The hackers appear to have compromised the EMA server on which the documents were stored.

No BioNTech or Pfizer systems were breached in the incident, the German firm said, and there is no evidence to suggest that any study participants were identified through the data being accessed.

The EMA has notified law enforcement agencies, and an investigation is now underway.

It is presently not clear when this breach occurred or who was responsible for the attack.

BioNTech said the EMA has assured them that the security breach would not impact the timeline for vaccine review.

The UK's National Cyber Security Centre (NCSC) said that the attack is not expected to affect the rollout of the Pfizer-BioNTech vaccine in the UK - the first to be granted emergency authorisation to be used in the country last week.

The hack against the EMA is the latest in a series of cyber attacks against biomedical firms and public health agencies.

Last week, IBM X-Force IRIS team warned that an advanced group of hackers is targeting organisations involved in the distribution of Covid-19 vaccines. The researchers said that this specific cyber-espionage campaign has been running since September 2020, and spans six regions: Italy, Germany, Czech Republic, greater Europe, South Korea and Taiwan.

In November, Microsoft said that it had detected several attempts by Russian and North Korean hackers to steal confidential data from leading biomedical firms and vaccine researchers.

In an alert issued in July, the NCSC revealed that Russia-backed group APT29 was targeting British labs to "steal valuable intellectual property" on Covid-19 vaccines. The group was specifically using 'WellMail' and 'WellMess' malware to target research organisations.