Drug companies fear cyber thieves may have accessed corporate secrets

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theglobeandmail.com/technology/tech-news/hacker-breach-of-us-fda-spark-drugmaker-fears-of-cyber-espionage/article16022874/

The U.S. Food and Drug Administration is under pressure from the
pharmaceutical industry and lawmakers to undergo an independent security
audit, after hackers broke into a computer system used by health care
companies to submit information to the agency.

Drug companies fear the cyber thieves may have accessed corporate secrets
that are on file with the agency, such as data about drug manufacturing,
clinical trials, marketing plans and other proprietary information.

While some lawmakers charge that the hackers breached the FDA’s gateway,
compromising confidential business data, the agency argues that the access
was limited.

The breach came to light last month when the FDA sent letters to users of
an online system at the Center for Biologics Evaluation and Research. The
letters said the breach was detected by the FDA on October 15 and that it
resulted in the theft of usernames, phone numbers, e-mail addresses and
passwords.

The U.S. House of Representatives Energy and Commerce Committee launched an
investigation, and last week four senior Republican members of that
committee sent a letter to FDA Commissioner Margaret Hamburg asking her to
immediately launch a third-party audit that would “assess and ensure the
adequacy of FDA’s corrective actions” following the breach.

Washington-based pharmaceutical industry trade group PhRMA said on Tuesday
that it supported the committee’s request for an independent audit.

“It is the legal obligation of the Food and Drug Administration to protect
companies’ trade secrets and confidential commercial information,” PhRMA
Vice President Sascha Haverfield said in a statement. The group’s members
include Amgen Inc, Daiichi Sankyo, GlaxoSmithKline, Johnson & Johnson,
Merck & Co and Novartis AG.

The FDA’s breach notification letter, which was published in pharmaceutical
trade publications, referred to the compromised system as an “online
submission system” at the Center for Biologics Evaluation and Research.

That alarmed drugmakers, which provide the FDA with highly sensitive data –
which would be priceless to a competitor – when they submit applications
seeking approval for new drugs, biologics and medical devices.

In their letter to the FDA, the Energy and Commerce Committee members
charged that the attackers had breached the “FDA’s gateway system,”
compromising confidential business information along with sensitive data
about patients enrolled in clinical trials.

FDA spokeswoman Jennifer Rodriguez said that was wrong.

“The system that was attacked maintains account information for the
Biologic Product Deviation Reporting System, the Electronic Blood
Establishment Registration System and the Human Cell and Tissue
Establishment Registration System,” she said.

“This system is not used to submit any applications. It is not the
electronic gateway that was breached,” she added.

She also said that the agency was not aware of any attempts to use stolen
information for “criminal or other inappropriate purposes.”

Rodriguez declined to comment on the requests for an outside audit or say
whether the breach had affected more than the 14,000 accounts disclosed to
date.

Tracy Cooley, a spokeswoman for the Biotechnology Industry Organization,
another healthcare industry trade group, said her organization also had
concerns about the breach.

“We support Congress investigating this situation,” she said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.