Pharma's cyber vulnerabilities run deeper than Merck's 'NotPetya' attack: report

What not to do with pharma company credentials? Use them to log into social media, for one, and gaming sites, for another. You'd think those would be obvious no-nos, but it’s more common than you’d think. And the industry is paying the price in the form of widespread cybersecurity vulnerabilities, according to a recent report by digital risk protection company Constella Intelligence.

The lesson is clear: Not every cybersecurity snafu needs to be as bombastic as Merck’s “NotPetya” imbroglio. Behind the big headlines are much more common, albeit still risky, breaches—and the problem’s getting worse.

Of the 20 pharma companies Constella analyzed, five clocked more than 200,000 total data exposures and breaches, with some climbing as high as 400,000, Jonathan Nelson, digital intelligence specialist at Constella Intelligence, said in an interview.

For its pharma report, Constella sought to uncover the cybersecurity risks plaguing the world’s top 20 drugmakers by revenue. Risk here refers to the circulation of personal data and other sensitive information threat actors can use to “infiltrate” corporate networks, Nelson explained.

RELATED: Glitch in the system: BlackBerry vulnerability could expose medical devices, manufacturing tech to hackers, FDA warns

These pharma vulnerabilities crop up when third-party domains are breached. This often leads to personal data like names, passwords and phone numbers turning up for sale on the deep and dark webs. What Constella is seeing, essentially, is that many employees and executives are using company credentials to log into third-party websites.

“When we see corporate credentials being used on nonessential sites—gaming sites, adult sites, social media sites—it’s an indicator that employees are incurring serious cyber risk,” Nelson explained.

Looking at data from January 2018 through September 2021, Constella identified 9,030 breaches or leakages and more than 4.5 million exposed records linked to employee corporate credentials. These breaches exposed information like email addresses, passwords, phone numbers and addresses as well as credit card and banking information.

Meanwhile, the problem seemed to get worse in 2021, which certainly isn’t reassuring given the industry’s pivotal role in the COVID-19 response. Some 59% of total breaches and 76% of total exposed records ID’d in Constella’s pharma report happened after 2020, the company noted in a press release.

“We’re at a moment now where there’s been a massive shift toward distributed remote hybrid and remote work, in addition to the fact that the intellectual property and the value of the intellectual assets and the data available to these [drugmakers] is significantly increasing,” Nelson said.

Aside from big picture worst-case scenarios like supply chain shutdowns and trade secret theft, these vulnerabilities can open the door to reputational problems, too, especially against the backdrop of a highly politicized vaccination debate in the U.S., Nelson pointed out.

RELATED: Pfizer/BioNTech weren't alone: Moderna COVID-19 vaccine data targeted in EMA cyberattack

Last summer, The New York Times reported on enigmatic PR firm Fazze, which tried to recruit social media influencers in France and Germany to make misleading claims about Pfizer and BioNTech’s COVID-19 vaccine Comirnaty. When some influencers tried to look into the company, the trail led to Russia, the NYT wrote.

More information gradually trickled out about the Russian market agency subsidiary and the widespread disinformation campaigns it was running against Western-made COVID-19 vaccines. In one instance, Fazze specifically tried to get influencers to hype up a chart taken from a leaked AstraZeneca document and claim the British drugmaker’s vaccine was dangerous, The Daily Beast reported last year. It wasn’t clear how Fazze obtained the report, the publication noted at the time.

The gung-ho shift to remote work, meanwhile, has left little time for companies to adequately update their security practices. “Most of these companies had a traditional physical work model where their cyber security postures were designed and developed for that purpose,” Constella’s Nelson said. The swift shift to the virtual office means companies haven’t had enough time to develop updated protocols and programs, while individuals themselves haven’t been able to gather sufficient cybersecurity awareness, he continued.

Another danger that companies and individuals might forget to consider? It isn’t just employees’ personal information that turns up on the deep and dark webs: Relatives’ information, banking information and addresses are some of the other attributes that can wind up for sale, Nelson said.

RELATED: Hackers breach Pfizer/BioNTech COVID-19 vaccine data in cyberattack targeting EMA

Among the pharma cyberattacks in recent memory, few stand out as much as Merck’s NotPetya incident. The New Jersey drugmaker was among a slate of global companies hit by the June 27, 2017, attack, which was ultimately linked to the Russian military. The attack hamstrung Merck’s in-house API production and affected its formulation and packaging systems as well as R&D and other operations.

Merck and its insurers continue to battle over $1.4 billion in losses from the attack. Just a few weeks back, Merck clinched a win in that fight. Essentially, Merck’s insurers said that the cyberattack should be subject to an “act of war” exclusion, because it originated from the Russian government as part of its hostility toward Ukraine. Merck took the opposite stance. In late January, a New Jersey judge concluded the act of war exclusion doesn’t apply, since it’s intended for actual armed conflict.

As for how companies can protect themselves, continuous monitoring is one of the biggest levers, Constella’s Nelson said. Other measures such as companywide password protocols, use of secure VPNs and investment in cybersecurity infrastructure tailored to the remote work environment can also help.