The Shionogi case: What happens when pharma fails to monitor ex-employees
Every landlord knows to change the locks after a tenant leaves—but at least one pharmaceutical company didn't similarly change
the internal passwords after an IT worker left—and suffered the consequences. Jason Cornish, a former IT specialist of Shionogi,
Inc., the United States subsidiary of that Japanese pharmaceutical company, resigned just ahead of a major cutback that made
redundant a former supervisor and close friend. In revenge for his friend's termination, Cornish gained unauthorized access
to Shionogi's computer network using a "back door" he'd installed before his resignation. Cornish then used the secretly installed
software program to delete the contents of each of 15 "virtual hosts" on Shionogi's computer network.
These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent
of 88 different computer servers. Cornish used his familiarity with Shionogi's network to identify each of these virtual hosts
by name or by its corresponding Internet Protocol address.
The deleted servers housed most of Shionogi's American computer infrastructure, including the company's e-mail and Blackberry
servers, its order tracking system, and its financial management software. The attack effectively froze Shionogi's operations
for a number of days, leaving company employees unable to ship product, cut checks, or communicate by e-mail.
Cornish was eventually traced to the IP address of a McDonald's restaurant in Georgia where he'd charged a meal with a credit
card at the time the Shionogi systems had been hacked. He was sentenced to 41 months in prison, and required to pay $812,567
The Shionogi experience demonstrates just a small fraction of the risk of improperly secured computer systems, and failure
to consider the possibility of criminal or terrorist acts by former employees who leave with valued information. The risk
of cyber-access for pharma goes far beyond vandalizing a company's systems—it potentially spans criminal interest in a company's
secret manufacturing and security technology, as well as providing the gist for political attacks designed to embarrass or
damage the pharmaceutical industry.
Suppose, for example, a former pharma company IT specialist sells his access information to criminals with economic or political
» The access information could be sold to international customers interested in mining the company's R&D computers for unpatented
technology or secret manufacturing technology. It could steal the company's unpublished adverse reactions reports, tests using
laboratory animals, or information on the status of contract negotiations.
» The same information could be used to access a company's HR records, where terrorists could find employees with internationally
vulnerable families—employees who could be blackmailed to steal biologicals or toxins with terror potential, or to reveal
technology such as how to produce the three-micron particles needed to weaponize agents like anthrax.
» Counterfeiters might value knowing the source and composition of proprietary coatings and packaging materials, so they can
more easily produce fakes capable of escaping detection by the closest visual examination.
» Criminals in the raw materials supply chain may wish to exploit knowledge of incoming assay tests so they can subvert those
tests by substituting cheap adulterated additives. Baxter's Chinese suppliers of heparin precursor knew about Baxter's safety
inspection tests, and substituted cheap oversulfated chondroitin for expensive heparin precursor.
» Other criminals in the supply chain may wish to learn how to penetrate track-and-trace security—or even the schedule of
truck shipments to distant warehouses or wholesalers.
» The Japanese terror group Aum Shinrikyo, responsible for a 1995 sarin gas attack on the Tokyo subway system, tried to manufacture
anthrax and botulinum toxin from common non-pathologic strains. They didn't order pathologic forms from lab supply houses
because of traceability after an attack. Today, a terrorist group might use its digital expertise to exploit gaps in a pharmaceutical
company's computerized purchase-authorization process to generate orders for dangerous biologicals, and to intercept those
orders in transit—thus obtaining vastly more potent organisms than the ones the Japanese cult tried to culture and scale up
almost 20 years ago. The cyber threat to pharma from terrorist groups is especially troubling in Japan, because the surviving
members of Aum Shinrikyo—regrouped under an organization named with the Hebrew letter "Aleph"—has morphed into a software
company specializing in security software. Before its front company names were penetrated, Aleph sold its software programs
to at least 10 government agencies, including the Defense Ministry, and more than 80 major Japanese companies. Although the
software was removed when its developers were identified, Japanese security officials worry that inadvertent collaboration
with terrorist-background individuals might have given them valuable information on how major companies and the government
protect their secrets.
Pharma as a political target
Politically-based cyber-attacks on pharma came to international attention on December 8, 2012, when the global hacker group
Anonymous announced via YouTube that it intended to attack the global pharmaceutical industry, in a manifesto dubbed "Operation
Bad Pharma." The goals of Anonymous appear to harmonize with those of domestic groups pledged to violence against drugmakers,
like the UK Animal Liberation Front. In addition to targeting pharma, Anonymous proclaimed it intended to target Israel after
the November 2012 rocket attacks on Israeli territory from Gaza—a troubling connection between anti-pharma international hackers
and Mid-East militants.
Conclusion: act preemptively to prevent
For managers dealing with day-to-day business challenges, the security issues and risks raised here may seem too remote to
merit in-depth consideration and development of action plans. Not since the unsolved 1982 Tylenol poisonings has the US pharmaceutical
industry been even considered as potential vector through which a terrorist group or lone wolf might inflict death or illness
on the general population. Since that episode, the pharma, cosmetics and food industries have all taken steps to protect their
products against field tampering.
However, the industry faces a changed world with different political threats, and new technologies by which terrorists might
exploit security gaps. Whether manufacturing brand or generics, solid dosage forms or injectables, every pharmaceutical company
should reevaluate its procedures to prevent the entry of criminals and others through their HR departments, supply chains,
warehouses, transportation systems, purchasing departments and computer networks. Only formal security Standard Operating
Procedures (SOPs) as rigorous as those for quality assurance and GMP, and which are routinely reconsidered and tested, can
reduce the risk of involvement in a potentially fatal imagination failure.
Miriam Halperin Wernli, PhD, is Vice President, Deputy Head Global Clinical Development and Global Head Business & Science Affairs, at Actelion
Pharmaceuticals in Allschwil, Switzerland. She can be reached at email@example.com
. Boaz Ganor, PhD, is co-founder of the International Centre for the Study of Radicalization and Political Violence (ICSR), a partnership
of the University of Pennsylvania; the Interdisciplinary Center, Israel; King's College, London; and the Regional Center on
Conflict Prevention (RCCP), Jordan. He is also deputy dean of the Lauder School of Government at The Interdisciplinary Center
as well as executive director of the International Institute for Counter Terrorism (ICT), an academic policy research institute
dedicated to innovative public policy solutions to international terrorism. He can be reached at firstname.lastname@example.org
. They are co-authors of "Dangerous Liaisons" on pharma terrorism risk for World Pharmaceutical Frontiers and speak on this
topic at meetings and workshops for security personnel.