The European Medicines Agency (EMA), responsible for overseeing and approving the development of COVID-19 vaccines, has acknowledged that cybercriminals stole COVID-19 vaccine data from developers Pfizer and BioNTech in early December.
“Some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties have been leaked on the internet,” the latest cyberattack update reads. ”Necessary action is being taken by the law enforcement authorities. The Agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorised access.”
According to Bleeping Computer, which also discovered one of the alleged leaks on a popular hacking forum, the stolen data includes email screenshots, EMA peer review comments, Word documents, PDFs and PowerPoint presentations.
In a joint statement released by the two pharmaceutical giants, the developers of the BNT162b2 COVID-19 vaccine disclosed that only some of their confidential documents were accessed during the cyberattack.
“Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyberattack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” the press release said. “It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed.”
EMA said its medicine-related regulatory network is fully functional, and that its evaluation process for the approval of coronavirus drugs and medications is not affected by the breach.
The agency offered no additional information regarding the leaked data, saying it would prejudice the ongoing investigation.
“EMA will continue to provide information in due course, to the extent possible, given its duty towards the ongoing investigation,” the cyberattack update concluded.