The European Union’s drug regulator said Friday that COVID-19 vaccine documents stolen from its servers by hackers have been not only leaked to the web, but “manipulated.”
The European Medicines Agency said that an ongoing investigation showed that hackers obtained emails and documents from November related to the evaluation of experimental coronavirus vaccines. The agency, which regulates drugs and medicines across the 27-member EU, had troves of confidential COVID-19 data as part of its vaccine approval process.
“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” the Netherlands-based agency said.
“We have seen that some of the correspondence has been published not in its integrity and original form and, or with, comments or additions by the perpetrators.”
The agency did not explain exactly what information was altered — but cybersecurity experts say such practices are typical of disinformation campaigns launched by governments.
Italian cybersecurity firm Yarix said it found the 33-megabyte leak on a well-known underground forum with the title “Astonishing fraud! Evil Pfffizer! Fake vaccines!” It was apparently first posted on Dec. 30 and later appeared on other sites, including on the dark web, the company said on its website.
Yarix said “the intention behind the leak by cybercriminals is certain: to cause significant damage to the reputation and credibility of EMA and Pfizer.”
Cybersecurity consultant Lukasz Olejnik said he believed the intention was far more broad.
“I fear this release has a significant potential of sowing distrust in the EMA process, the vaccines, and vaccination in Europe in general,” he said. “While it is unclear as to who may be behind this operation, it is evident that someone determined allocated resources to it.”
“This is an unprecedented operation targeting the validation of pharmaceutical material, with potentially broad negative effects on the health of Europeans if it leads to undermining trust in the vaccine,” Olejnik added.
The EMA said law enforcement authorities are taking “necessary action” in response to the hack and a criminal investigation is ongoing.
It said that given the devastating toll of the pandemic, there was an “urgent public health need to make vaccines available to EU citizens as soon as possible.” The EMA insisted that despite that urgency, its decisions to recommend the green-lighting of vaccines were based “on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.”
The EMA, which is based in Amsterdam, came under heavy criticism from Germany and other EU member countries in December for not approving vaccines against the virus more quickly. The agency issued its first recommendation for the Pfizer and BioNTech vaccine weeks after the shot received approval in Britain, the United States, Canada and elsewhere.
The EMA recommended a second vaccine, made by Moderna, for use earlier this month. A third shot made by AstraZeneca and Oxford is currently under consideration by the agency.