AstraZeneca Breach – One Leaked Password, Dozens of Exposed Records

Data breaches have reached a new high in 2022. But the problem is: Not every incident is due to cybercriminals infiltrating the companies’ systems. Most of the time, it’s the employees or customers who slip up and cause the damage. That’s exactly what happened with none other than AstraZeneca.

AstraZeneca is a pharmaceutical giant that’s been around for quite some time now. It’s one of the few firms that found a cure for the Coronavirus. Unfortunately, despite its advanced equipment, a simple slip-up allowed the exposure of its patients’ sensitive information.

Apparently, a developer left credentials for an AstraZeneca internal server on GitHub, leaving a test Salesforce cloud environment completely vulnerable to any kind of access. What is this about and how did AstraZeneca deal with this problem? Here’s what we know.

AstraZeneca Breach – A User Error?

As we mentioned, data breaches are occurring frequently and several ones are due to a mistake caused by employees or users.

In AstraZeneca’s case, the company blames a “user error” for leaving credentials online on Github since 2021, which exposed access to sensitive patient data.

We already stated that the Salesforce cloud environment what got breached. But what does it host? It’s definitely patients’ information, but not all of them.

In fact, this cloud environment includes the data related to AZ&ME applications. It’s a system that helps those who can’t afford their medication and offers them discounts.

Basically, those who are prescribed an AstraZeneca medication can apply for the discount service. However, just like any applicant to a savings program, they should provide sensitive information, including names, addresses, doctor’s data, health insurance, and income.

So, what did this breach compromise overall? So far, AstraZeneca claims that the breached data is limited. Moreover, the company is not sure whether anyone with ulterior motives has accessed it. Here’s what AstraZeneca spokesperson Patrick Barth had to say:

“The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws.

Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations.”

The credentials on Github were discovered by Mossab Hussein, a chief security officer at cybersecurity startup SpiderSilk, who shared the information with the famous firm TechCrunch.

Such mistakes are common and they happen randomly. What’s worse is that they make the cybercriminals’ job very easy when it comes to exploiting what’s already been freely given.

One Mistake Causes Data Mayhem

AstraZeneca has been providing medical solutions for years now and it has millions of customers around the world. Imagine if the data they have gets exposed. How negatively impactful would such a breach be? It’s not the first “Medical firm” to be breached, after all.

According to the company, the latest breach is very limited. But based on how big the company is, limited is still huge. AstraZeneca did not disclose if the data has been misused, we’ll have to wait for additional details to unfold.