Protecting IT systems
Chapter 1 - Key achievements in 2021

Protecting IT systems against cyberattacks

During 2021, EMA successfully strengthened its IT security systems after it had become the subject of a cyberattack in December 2020.

The Agency swiftly launched a full investigation, in close cooperation with Dutch police authorities, the Computer Emergency Response Team for the EU Institutions, bodies and agencies (CERT-EU) and Europol, the EU’s law enforcement agency. To support the full investigation, EMA also engaged a specialised IT security company to advise and assess the additional security measures that were immediately put in place in response to the data breach. The Management Board, the European medicines regulatory network and the European Commission were informed promptly and received regular updates.

The criminal intrusion into EMA’s IT systems was successfully contained. The Agency and the European medicines regulatory network remained fully functional, and timelines related to the evaluation and approval of COVID-19 vaccines and treatments were not affected.

The investigation showed that data was unlawfully accessed, including a limited number of documents belonging to third parties. Further evaluation revealed that the data breach was limited to one IT application and that the perpetrators primarily targeted data related to COVID-19 medicines and vaccines. This included internal/confidential email correspondence dating from November 2020, relating to evaluation processes for COVID-19 vaccines. 

Some of the breached documents including email correspondence were leaked on the internet and picked up by some media outlets. Not all of the documents were published in their integral, original form and may have been taken out of context. Whilst individual emails were authentic, data from different users were selected and aggregated, screenshots from multiple folders and mailboxes were created and additional titles were added by the perpetrators.

Some of the unlawfully accessed documents contained personal data. EMA notified the European Data Protection Supervisor and jointly agreed follow-up actions. EMA also informed all concerned third parties of the breach to provide support, assess the nature of the personal data and notify the person concerned in relation to the risk identified. All requests by data subjects to access their data were granted.

The Agency enforced its cybersecurity insurance policy in place since 2019 and was able to recover 100% of all disbursements borne in connection with the cyberattack. 

EMA has, as a result of the COVID-19-related cyberattack, further strengthened its defensive cybersecurity capabilities. The Agency has been dedicating resources and investing significantly to avoid cybersecurity issues. It has been enhancing its IT systems as a priority to protect against future attacks. A revision of EMA’s information security strategy is also underway, with the aim of putting in place a three-year improvement road map in line with best practices for similar organisations.