The Human Factor in Data Security Breaches

The pandemic’s exacerbation of the pharmaceutical industry’s exposure to data breaches has been one of the many disquieting side effects of life under COVID-19. In showing the extent of this security compromise among the Fortune 500 top 20 pharma companies, Constella Intelligence’s new study, Pharma Sector Exposures Report: 2018–2021 Digital Risk Findings and Trends, makes for particularly unnerving reading, comparing as it does the number and type of data breaches that occurred during the pandemic period (up to September 2021) with those that took place in the two years before COVID.

Constella reports that the number of data breaches affecting these top 20 pharma companies rose from 1,930 in 2018 to 2,165 in 2019 and then to 3,619 in 2020. Breaches from January to September 2021 take the total number to 9,830. The resulting number of records exposed from those breaches is some 4.5 million. Around two-thirds (64%) of the breaches and leakages identified include personally identifiable information (PII), with the most common attributes being email, password, name, username, phone number, address, date of birth, and credit card information. In a closer study of 78 executives from these companies, Constella found that 58% had their corporate credentials leaked since 2018, with nearly a third having their passwords exposed in breaches.

“Employees with privileged access to corporate networks and critical digital or physical infrastructure are principal attack targets for threat actors,” warns the report.

Feeding the threat actors

Putting these sobering figures into context, Jonathan Nelson, digital intelligence specialist at Constella, says that the report shows that pharma executives are not immune to data breaches, with well over half having their exposed corporate credentials circulate “on the deep and dark web.” He adds that employees are using corporate credentials to register on what appear to be non-essential sites, such as retail, online banking, gaming, sports, and social media. With two-thirds of breaches exposing PII, threat actors are thus supplied with the sensitive data needed to design future, more sophisticated attacks against individuals and organizations.

With the pandemic accelerating the pre-existing trend for operational digitization, companies’ levels of digital risk increased correspondingly, explains Nelson.

“These challenges were highly relevant before COVID,” he points out. “However, the intensity and durability of this new paradigm has transformed the threat landscape for cybercriminals and the companies that must address evolving modalities of digital risk.”

Cybersecurity’s ‘most important element’

“The financial and reputational cost of these risks is untenable,” Constella states. According to IBM’s 2021 Cost of Data Breach Report, the average cost of a pharma breach in 2021 was more than $5 million—the third-highest cost behind the financial and healthcare sectors. The Constella study reveals that most of these breaches are taking place in the US; over 30% of the reported breaches and leakages are from companies or sites in the US (UK companies are the next-most exposed, but there the total is only 3%).

So, what can pharma companies do now to secure themselves against future attacks? Organizations have undergone a relatively rapid shift without ample time to prepare their workforces for the new threat landscape, Nelson tells Pharm Exec. Part of the response must involve cyber education, awareness, and digital “hygiene.”

He explains that it is also “imperative that companies invest in threat detection solutions for proactively monitoring, anticipating, and responding to threats related to the most important element in corporate cybersecurity—people.”

Companies thus need to make it clearer how humans—employees and executives alike—are “a vector of attack that puts brands and companies at risk.”

Julian Upton is Pharm Exec’s European and Online Editor. He can be reached at jupton@mjhlifesciences.com.