The US drug regulator has taken the unusual step of having the Covid-19 vaccine data physically delivered by FBI agents, refusing to send it over the internet for fear of a cyber attack.
Vaccine makers sent sensitive documents to the Food and Drug Administration on a USB key given to the FBI, according to people familiar with the matter. The FDA, which typically takes submissions electronically, has taken extra precautions due to the sensitivity of the coronavirus vaccine documents, people said.
Cyber security experts have warned that hackers are monitoring the vaccine development process, with the possible aim of stealing intellectual property or wreaking havoc by disrupting it. The United States and the United Kingdom have previously accused of state sponsored hackers in China and Russia target groups developing vaccines and treatments against Covid-19.
These risks were underscored last week when vaccine makers Pfizer and BioNTech said some of their documents were exposed during a cyber breach targeting the European Medicines Agency, the European medicines regulator.
The US regulator said it is always improving its cybersecurity strategies and employing specialists to help it meet “the demanding challenges of protecting highly sensitive information.”
Michael Farrell, co-executive director of Georgia Tech’s Institute for Information Security & Privacy, said efforts by the FDA to protect unclassified vaccine data showed the “severity of threats in 2020.”
“This kind of conscious decision, to avoid the network and transfer the data manually, raises concerns about adversaries targeting the systems between researchers and the FDA,” he added.
“There are many parties involved in the Covid-19 vaccine supply chain: research, development, testing, distribution, and then medical providers do the inoculation. They are all attacked.
The EMA, which allows companies to transmit key data through an online portal, said last week that its servers were the target of a cyber attack. He said he was working with law enforcement and briefing the businesses involved.
Ugur Sahin, chief executive of BioNTech, said he hoped the EMA would learn from the attack.
“You still think it’s kind of too much protection, until you realize it’s all right,” he told the Financial Times.
Dr Sahin added that the partners still assess what has been stolen but their intellectual property is patented, which could offer trade protection in case someone tries to duplicate their work. But even if hackers have gained access to important data, they are unlikely to have the skills and experience to figure out how to make a vaccine, he said.
Moderna, which is submitting documents to the EMA as part of a “continuous review” of its vaccine candidate, said on Friday it had not been made aware of any documents exposed in the violation. AstraZeneca, which is also seeking approval for a Covid-19 vaccine from the European regulator, declined to comment.
The agency said it was using an “electronic exchange standard” rolled out by major regulators around the world, including the FDA.
It might have more difficulty keeping the data offline as it has to share the information with at least 27 regulators across Europe. Senior health officials working for EU member states said national systems did not appear to have been compromised, which one official described as a “nightmare scenario”.
The Amsterdam-based regulator, who moved to London following Britain’s vote to leave the EU, said it remained fully functional and that the deadlines for assessing Covid- 19 were not affected.
Additional reporting by Kiran Stacey in Washington