Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe, companies say

U.S. drugmaker Pfizer and its German partner BioNTech said on Wednesday that documents related to development of their COVID-19 vaccine had been "unlawfully accessed" in a cyberattack on Europe's medicines regulator.

The European Medicines Agency (EMA), which assesses medicines and vaccines for the European Union, said hours earlier it had been targeted in a cyberattack. It gave no further details.

Pfizer and BioNTech said they did not believe any personal data of trial participants had been compromised and EMA "has assured us that the cyber attack will have no impact on the timeline for its review."

It was not immediately clear when or how the attack took place, who was responsible or what other information may have been compromised. 

The two companies said they had been informed by the EMA "that the agency has been subject to a cyber attack and that some documents relating to the regulatory submission for Pfizer and BioNTech's COVID-19 vaccine candidate" had been viewed.

Such documents could be extremely valuable to other countries and companies rushing to develop vaccines, experts said.

"When it comes to the data submitted to these kinds of regulatory bodies, we are talking confidential information about the vaccine and its mechanism of action, its efficiency, its risks & known possible side effects and any unique aspects such as handling guidelines," said Marc Rogers, founder of a volunteer group fighting Covid-related breaches, CTI-League.

"It also provides detailed information on other parties involved in the supply and distribution of the vaccine and potentially significantly increases the attack surface for the vaccine," adding more ways the formulas or production could be hacked or stolen.

The companies said "no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed."

A spokeswoman for BioNTech declined further comment. Pfizer did not respond to a request for further comment.

The Pfizer-BioNTech vaccine is a top contender in the global race to beat back COVID-19. It is already being administered in Britain.

The EMA has said it would complete its review by Dec. 29, although its schedule may change.

The EMA statement gave few details about the attack, saying only it was investigating with help from law enforcement. 

"EMA cannot provide additional details whilst the investigation is ongoing," it said in a statement. 

U.S. law enforcement and cybersecurity officials did not respond to requests for comment.

Hacking attempts against healthcare and medical organisations have intensified during the COVID-19 pandemic as attackers ranging from state-backed spies to cyber criminals hunt for information.

Reuters has previously reported on allegations that hackers linked to North Korea, South Korea, Iran, Vietnam, China and Russia have on separate occasions tried to steal information about the virus and potential treatments.

Reuters has documented that espionage campaigns targeted a slew of pharmaceutical and vaccine development companies including Gilead, Johnson & Johnson, Novavax, and Moderna. Regulators and international organizations such as the World Health Organization have also come under repeated attack.

"Vaccine candidates represent liquid gold to many parties, both in terms of the opportunity and the pure market value," said Rogers, who is also vice president at security company Okta Inc. "Information on the vaccine and access to any link in the distribution chain has significantly increased value."

The respiratory virus, which emerged in China in late 2019, has infected more than 68 million people worldwide, according to a Reuters tally. More than 1.5 million people have died.

(Additional reporting by Joseph Menn and Raphael Satter; Editing by Angus MacSwan and David Gregorio)