Pfizer and BioNTech said documents related to their Covid-19 vaccine had been exposed in a cyber attack on the European Medicines Agency.
The vaccine makers on Wednesday said documents relating to the regulatory submission had been “unlawfully accessed” on the EMA server. The regulator had earlier on Wednesday disclosed that it had been the “subject of a cyber attack” and said it was launching a full investigation and collaborating with law enforcement.
“It is important to note that no BioNTech or Pfizer systems have been breached in connection with this incident and we are unaware that any study participants have been identified through the data being accessed,” the companies said in a statement.
“EMA has assured us that the cyber attack will have no impact on the timeline for its review,” they added.
It could not be immediately determined what documents were accessed, or if any other drugmakers had been affected. The EMA has been conducting rolling reviews of vaccine candidates, including those made by Moderna and AstraZeneca and the University of Oxford, for months.
Rolling reviews are a type of accelerated assessment whereby drugmakers submit data, including those for safety and efficacy, as they become available, rather than in one go. Proprietary information such as intellectual property is not typically shared.
The US and the UK earlier this year warned state-sponsored hackers in China and Russia have been targeting pharmaceutical and academic research groups developing coronavirus treatments and vaccines, in what has been dubbed an “intellectual property war”.
In July, the US charged two Chinese hackers with targeting American companies carrying out coronavirus research with the theft of trade secrets.
IBM researchers last week said they had found cyber attackers targeting the cold supply chain to deliver Covid-19 vaccines, assessing it was likely to be a campaign backed by a nation state.
“Virtually every nation-state actor has been targeting vaccine information since the start of the pandemic, so this is not at all surprising,” said Dmitri Alperovitch, co-founder of cyber security group CrowdStrike who now runs the Silverado Policy Accelerator think-tank. The motives of the attackers were “most likely intelligence collection on vaccine efficacy and safety”, he said.
This type of information, however, “will all be public shortly”, he added.
The Amsterdam-based drugs regulator has said it would consider the approval of the Pfizer/BioNTech vaccine by December 29 at the latest, a delay of about a week compared with plans discussed late last month.
Member states have been pressing the agency, which oversees approval for all countries in the European Union, into aligning with UK and US approval timelines. The UK has approved the Pfizer/BioNTech vaccine, as have Bahrain and Canada, while an FDA advisory panel is set to meet on Thursday to discuss whether to recommend it receive emergency use authorisation.
The EMA did not respond to a request for comment outside business hours.
Additional reporting by Hannah Murphy