Updated: Documents leaked to the internet in wake of EMA cyberattack

Regulatory NewsRegulatory News | 12 January 2021 |  By 

Editor's note: This article was updated 12 January 2021 to include information provided in EMA's fourth update on this cyberattack. 

Some of the COVID vaccine-related documents obtained during an early December 2020 cyberattack on the European Medicines Agency (EMA) made their way to the internet, according to the agency's fourth update on the matter. EMA's ongoing investigation has shown that "some of the unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties" were leaked and surfaced on the internet, said the agency in a 12 January press release.

EMA did not specify exactly which documents appeared on the internet, nor did the press release reveal where the documents appeared; EMA continued to affirm that the timelines for vaccine approval are unaffected. 

The cyberattack only involved one information technology application, reported the agency in an earlier update on the data breach. That update also revealed that COVID-19-related documents were the primary target of the cyberattack, and that all companies whose data were accessed had been informed.
In an earlier update following the 9 December announcement of the cyberattack, EMA had disclosed that “a limited number of documents belonging to third parties were unlawfully accessed.” Developers of two vaccines against COVID-19 have disclosed that their data was accessed in the cyberattack.
In a 14 December statement, Moderna said that “certain documents exchanged in the context of the pre-submission discussions” for for the vaccine it co-developed with the National Institutes of Health had been accessed by the hackers. Pfizer and BioNTech, its partner in COVID-19 vaccine development, also acknowledged that some of their data had been accessed in the attack.  (RELATED: Despite data breach, CHMP set to consider Pfizer-BioNTech COVID vaccine, Regulatory Focus 15 December 2020)
In both statements, the vaccine developers said that personally identifying information about study participants was not compromised. EMA has said that COVID-19 vaccine and therapeutics evaluation and approval timelines are not affected by the breach.
Neither EMA nor the drug companies who have acknowledged that their documents were accessed by those perpetrating the attack have given any indication of who is behind the actions. The agency did not reveal which information technology application was involved, but said that the third party company that is helping with the investigation is also putting in place “additional security measures” in the wake of the data breach.


© 2023 Regulatory Affairs Professionals Society.

Tags: coronavirus, EMA, EU

Discover more of what matters to you

No taxonomy