Charles River is latest pharma co to face cyber attack

In another example of a biopharma company targeted by cyber criminals, Charles River Laboratories has disclosed an attack that harvested data from around 1 per cent of its clients.

The attack occurred in March and was carried out by a “highly sophisticated, well-resourced intruder”, according to a Securities & Exchange Commission (SEC) filing by the contract research organisation on Tuesday (April 30). The company says it has closed the point of entry used in the attack.

There’s no evidence yet that any of the stolen data has been deleted, corrupted or altered, says Charles River, adding that it has taken steps to contact all the organisations affected by the breach. For now the financial impact is unknown, and Charles River has merely said that the 1% figure “does not necessarily equate to the potential revenue or financial impact related to this incident, which the company has yet to determine.”

The incident comes shortly after German pharma and chemicals giant Bayer revealed it had suffered a sustained cyber-attack, thought to originate from a China, that is thought to have been aimed at stealing commercial secrets.

Two years ago, Merck & Co revealed it was hit by WannaCry ransomware. Merck’s cyber-attack cost the company around $135m in lost revenue due to production shutdowns and lost sales, and spent around $175m in remediation costs. Its insurers refused to cover the loss, claiming the damages were an act of war and so exempt.

“Promptly upon detection of unusual activity in its information systems in mid-March, the company commenced an investigation into this incident, coordinated with US federal law enforcement, and engaged leading cybersecurity experts,” says Charles River in its filing.

It adds that it “continues to move aggressively to further secure its information systems, which includes adding enhanced security features and monitoring procedures to further protect its client data.”

One of Charles River’s clients – a biotech startup called Nivien Therapeutics – has revealed that the attack exposed the identity of its therapeutic target and other potentially valuable data. Nivien is no longer operational, but its former CEO Nathanial Brooks Horwitz wrote in a blog that “were we still in business, the breach may have jeopardised our endeavour.”

Earlier this year, the US Department of Homeland Security said biopharma companies were among 10 sectors being targeted by Chinese hackers with the aim of stealing industrial secrets, while a survey in March revealed that more than two-thirds of US organisations think their cybersecurity teams are understaffed.

Recent research from Reboot, based on ProofPoint data, has suggested that pharmaceutical companies have become the most highly targeted industry for phishing and malware attacks, with 71 attacks per company on average over a three-month period, followed by construction (61 attacks) and real estate companies (54 attacks).