Of all the cyberattacks that have targeted COVID-19 research, one is now known to have successfully snatched some data—from the Western world’s first authorized coronavirus vaccine.
The European Medicines Agency (EMA) “has been the subject of a cyberattack,” the EU drug regulator said in a brief statement Wednesday. During the assault, some documents in Pfizer and BioNTech’s submission for their COVID-19 vaccine candidate, BNT162b2, were “unlawfully accessed,” the two companies disclosed in a separate announcement.
The companies said the documents had been stored on an EMA server and that their own systems were not breached. At this point, they said they are “unaware that any study participants have been identified” through the incident.
Pfizer and BioNTech lodged their COVID-19 vaccine with the EMA at the beginning of this month. Drug reviewers at the agency’s Committee for Medicinal Products for Human Use are scheduled to meet Dec. 29 to decide whether they have seen enough data to grant the shot a conditional approval.
“EMA has assured us that the cyberattack will have no impact on the timeline for its review,” Pfizer and BioNTech said.
No further details were given as to where and when the hacking occurred or whether authorities have identified any suspects. It’s not clear whether data on any drug or vaccine beyond BNT162b2 were stolen. EMA said it has launched a full investigation in cooperation with law enforcement and will provide more information later.
Regulatory filing documents typically include confidential data about the vaccine itself but also cover information on other parties involved in the supply and distribution of the vaccine, Marc Rogers, founder of a volunteer group fighting COVID-19-related cyberattacks, CTI League, told Reuters.
BNT162b2 recently won its first authorization from the U.K., and an independent expert panel convened by the FDA is reviewing the vaccine Thursday.
Cyberattacks have recently circled companies and organizations developing COVID-19 vaccines, therapeutics and tests.
AstraZeneca was said to have been targeted by North Korean hackers, who used fake online recruiting schemes to try to breach the British pharma’s systems. The company’s experimental COVID-19 shot, AZD1222, recently reported phase 3 data.
The hackers have also tried to poach information from Johnson & Johnson and Novavax, which are working on their own COVID-19 vaccines, as well as three South Korean drugmakers, The Wall Street Journal recently reported, citing people familiar with the matter.
Nation-state players from Iran, China and Russia have also been accused of attempting to steal COVID-19-related information. But before the EMA incident, those moves didn’t seem to have yielded any information.