The hackers behind the cyberattack on the European Medicines Agency (EMA) have leaked some of the COVID-19 vaccination data that was stolen in the attack.
The EMA is responsible for the evaluation and supervision of medicines and vaccines in the European Union and is the EU equivalent of the U.S. Food and Drug Administration (FDA). As such, all COVID-19 vaccines and medicines must be approved by the EMA before they can be used in the EU. Biotechnology and pharmaceutical firms must submit documentation related to their drugs and vaccines to be reviewed by the EMA.
The EMA suffered a cyberattack in December at a time when the EMA was assessing the Pfizer-BioNTech COVID-19 vaccine candidate (BNT162b2). Pfizer and BioNTech had submitted documentation to the EMA on their vaccine prior to the cyberattack, and that documentation was stored on a server that was remotely accessed by the hackers.
The EMA investigation into the breach confirmed the breach was limited to a single IT system and limited third-party documentation had been accessed. The EMA alerted all third parties concerned but did not publicly announce which companies had been affected by the breach.
Pfizer and BioNTech released a joint statement confirming some of their documentation had been unlawfully accessed and this week the EMA released an update on its investigation and explained that some third-party documentation had been published online on hacking forums as early as December 31, 2020. Moderna has also confirmed that documents exchanged with the EMA as part of pre-submission discussions related to its mRNA-1273 COVID-19 vaccine candidate had also been accessed by the hackers.
The EMA said the breach is still being investigated and the agency is working with law enforcement agencies to secure the stolen documentation. The EMA evaluation and approval process for COVID-19 medicines and vaccines had not been affected.
Bleeping Computer recently reported that the data published on hacking forums included Word documents, PowerPoint presentations, PDF files, email screenshots, and EMA peer review comments.