The US drugs regulator has taken the unusual step of having Covid-19 vaccine data physically delivered by FBI agents, refusing to send it over the internet for fear of a cyber attack.
Vaccine makers have sent sensitive documents to the Food and Drug Administration on a USB stick handed to the FBI, according to people familiar with the matter. The FDA, which usually takes submissions electronically, took the additional precautions because of the sensitivity of documents relating to coronavirus vaccines, the people said.
Cyber security experts have warned that hackers are scrutinising the vaccine development process, with the possible aim of stealing intellectual property or wreaking havoc by disrupting it. The US and UK have previously accused state-sponsored hackers in China and Russia of targeting groups developing vaccines and treatments for Covid-19.
Those risks were underlined last week when vaccine makers Pfizer and BioNTech said that some of their documents were exposed during a cyber breach targeting the European Medicines Agency, the EU drug regulator.
The US regulator said it was always enhancing its cyber security strategies and employed specialists to help meet “the demanding challenges of protecting highly sensitive information”.
Michael Farrell, co-executive director of the Institute for Information Security & Privacy at Georgia Tech, said the lengths to which the FDA was going to in order to protect unclassified data about vaccines showed the “severity of threats in 2020”.
“That sort of conscious decision, to eschew the network and transfer data manually, hints at concern over adversaries targeting systems between researchers and FDA,” he added.
“There are many parties involved in the supply chain for Covid-19 vaccine: research, development, testing, distribution, and then actual medical providers doing inoculation. They are all under attack.”
The EMA, which allows companies to transmit the key data through an online portal, said last week that its servers were the target of a cyber attack. It said it was working with law enforcement and informing the companies concerned.
Ugur Sahin, BioNTech’s chief executive, said he hoped that the EMA would learn from the attack.
“You always think that this is somehow too much protection, until you understand that everything has its reason,” he told the Financial Times.
Dr Sahin added the partners were still evaluating what had been stolen but their intellectual property was patented, which could offer commercial protection in case anyone tried to replicate their work. But even if the hackers accessed important data, they were unlikely to have the required skills and experience to work out how to make a vaccine, he said.
Moderna, which is submitting documents to the EMA as part of a “rolling review” of its vaccine candidate, said on Friday it had not been informed of any documents exposed in the breach. AstraZeneca, which is also seeking approval for a Covid-19 vaccine from the EU regulator, declined to comment.
The agency said it used an “electronic exchange standard” deployed by major regulators around the world, including the FDA.
It could face more difficulties keeping data offline since it must share the information with at least 27 regulators across Europe. Senior health officials working for EU member states said that national systems did not appear to have been compromised, which one official described as a “nightmare scenario”.
The Amsterdam-based regulator, which moved to London in the wake of Britain’s vote to leave the EU, said it remained fully functional and timelines for the assessment of Covid-19 jabs were unaffected.
Additional reporting by Kiran Stacey in Washington