One of the largest contract research organizations in the world said it was hacked and that data from companies using its services were stolen.
In a Securities and Exchange Commission filing Tuesday, Wilmington, Massachusetts-based Charles River Laboratories said a “highly sophisticated, well-resourced intruder” had broken into its computer systems and copied the data. The number of clients affected constitute about 1 percent of the total number of organizations contracted with CRL. However, the CRO added that there is no indication any of the data were deleted, corrupted or altered, according to a dedicated page on the company’s website regarding the incident, which occurred in the middle of March.
CRL spokeswoman Amy Cianciaruso said in a phone interview that the SEC filing contained all the information the company would disclose publicly about the incident. However, she noted that because the CRO focuses on preclinical and drug discovery work, the data stolen would not have included patient data.
Shares of the company were down about 2 percent in late-afternoon trading on the New York Stock Exchange Wednesday.
In a FAQ about the incident, CRL said that based on dialogue with federal law enforcement, other companies have also been targeted. Among the 10 largest CROs in the country, none have indicated in SEC filings since the middle of March whether they suffered similar data breaches.
In a post on Medium, biotech entrepreneur Nathaniel Horwitz wrote that his now defunct startup, Nivien Therapeutics, was among that 1 percent of CRL’s clients whose data were compromised. Nivien worked with several contractors on animal studies, chemical screens, assay development and therapeutic candidate optimization. Such data and intellectual property are the “solid gold” of biomedical research and development. “Were we still in business, the breach may have jeopardized our endeavor,” he wrote, adding that the very identity of a drug target, let alone the chemistry, can be worth millions or billions of dollars, especially to startups.
Not surprisingly, such valuable information is solid gold to hackers as well, and CROs present a mother lode.
“We definitely see that, I would say, on a semi-regular basis,” said Luke McNamara, an analyst with San Francisco cybersecurity firm FireEye, in a phone interview. “Specifically for the targeting of entities like contract research organizations, I think it’s in the same vein that we see a lot of other intrusions into targets that aggregate or have access to data from a lot of different organizations.”
Nation-state actors – particularly Chinese espionage groups – are a frequent culprit in intrusions into drug companies and CROs, McNamara said. However, some transnational criminal hacker groups, whose motives are often financial, can be just as sophisticated as their government-sponsored counterparts. As such, he said, CRL’s description of the hackers as “highly sophisticated” and “well-resourced” should not be interpreted to mean they were from nation-state hacking groups, known in the industry as “active, persistent threats,” or APTs.
The vast majority of compromise intrusions use spearfishing, a term used to describe an innocuous-looking email containing a malicious attachment that allows hackers to break into a computer, he added.
China has a particular interest in lifting biomedical research in order to support its own efforts. “If you look at a lot of the five-year plans and Made in China 2025, that area around cancer research has been a big focus,” McNamara said. “We’ve seen an analogue to that in some of the intrusions and lures used for spearfishing.”
Photo: weerapatkiatdumrong, Getty Images
