Cencora Breach Fallout Shows the Impact of Supply Chain Attacks on Pharmaceuticals

Back in February 2024 Cencora filed an 8-K with the Securities and Exchange Commission (SEC) noting that they had experienced a data breach. At the time of the filing, there wasn’t much to go on in terms of details about the attack and no ransomware groups claimed responsibility for the incident.

Now, the impact of the data breach is finally starting to be felt. At last count, 11 major drug companies announced in regulatory filings that they had experienced data breaches related to the February 2024 attack at Cencora. The California Attorney General publishing multiple data breach notifications, according to BleepingComputer reporting, that all tied their data breaches back to Cencora’s incident.

The companies using almost identical data breach notifications are:

1. Novartis Pharmaceuticals Corporation
2. Bayer Corporation
3. AbbVie Inc.
4. Regeneron Pharmaceuticals, Inc.
5. Genentech, Inc.
6. Incyte Corporation
7. Sumitomo Pharma America, Inc.
8. Acadia Pharmaceuticals Inc.
9. GlaxoSmithKline Group
10. Endo Pharmaceuticals Inc.
11. Dendreon Pharmaceuticals LLC

The impact of this attack demonstrates quite clearly how threat actors have used service providers like Cencora to spread throughout the supply chain and compromise many other organizations.

Overview of the Cencora Attack

Back in March, we wrote about the initial filing of the Cencora attack. At the time, the company had released minimal details about how the attack occurred and what was compromised. The letters that the California Attorney General published are the only new information that arose following the conclusion of Cencora’s investigation on April 10, 2024.

The notices reveal that Cencora’s investigation showed that the following information had been exposed: full name, address, health diagnosis, medications, and prescriptions. Cencora and its Lash Group affiliate partner did not mention the number of personal records that were exposed in their May 17 news release or in any subsequent media reports.

Even without confirmation from Cencora and Lash Group on the number of records impacted, the number of companies revealing a breach means that this is a major exposure of patient information. The 11 pharmaceutical companies who experienced data breaches are some of the largest in the world. Novartis alone claims that 250 million people worldwide use their medicines, so even a small database is likely to include several hundred thousand people. The same can be said for others on the list like Bayer, GlaxoSmithKline, and AbbVie.

Supply Chain Attacks Remain a Major Threat Vector

Supply chain attacks are increasingly common. Threat actors can breach one company and then use their customer relationships to have a far greater impact than exfiltrating any single company’s data. Some of the biggest breaches of the past 15 years, in fact, have spread because of vendor relationships and the software supply chain.

• The Change Healthcare ransomware attack in February 2024 brought down a substantial amount of the U.S. healthcare system. Threat actors encrypting systems at Change resulted in a full system shutdown and rebuild, causing multiple healthcare customers to lose revenue while Change rebuilt their internal systems.
• The SolarWinds attack in 2020 compromised large parts of the U.S. federal government alongside many other corporate entities that used the SolarWinds Orion IT monitoring system. This attack resulted in substantial exfiltration of sensitive data because someone managed to infiltrate the SolarWinds production server and add malicious code into the product at the design phase.
• The MOVEit breach of 2023 caused widespread issues among users of the Progress Software tool, resulting in Progress facing 58 different class action lawsuits from organizations worldwide that experienced issues related to the attack.

Threat actors have noticed that there is a massive upside to attacking vendors and suppliers, allowing them to migrate through customer bases and spread the impact of their attack with minimal effort. According to research, there were 242 supply chain attacks in 2023 – more than double the number in 2022. This should come as no surprise. A successful supply chain attack means that threat actors compromise a wide range of organizations with only a little extra effort.

This is more efficient than trying to attack multiple companies at once, so it comes as little surprise that cybercriminals would increase their usage of supply chain compromises. Companies need a new solution to defend against data loss in this more complex environment.

How Sotero Helps Defend Against Supply Chain Attacks

Defending against supply chain attacks often requires quick detection of attacks in progress and then locking down the points of entry. The problem with this approach is that it’s highly reactive, waiting for threat actors to take a malicious action. Then incident responders conduct root cause analysis to determine how the attack occurred and potentially close down any security vulnerabilities. The problem is that threat actors will have stolen data and encrypted systems well before defenders notice.

Sotero’s proactive approach with machine learning algorithms empower customers to analyze each data access request at the moment it’s made, and then review and categorize them based on threat potential. Sotero’s self-training machine learning model performs this analysis in real time, detecting and stopping threats nearly instantly.

The Sotero platform combines data security posture management and data detection and response (DDR), with continuous monitoring and robust ransomware protection across all data architectures. Blending these technologies into a single platform empowers security teams with the ability to automatically discover and classify data, ensure critical data is protected at the highest level, manage access to sensitive information, and meet necessary data compliance standards all from a single platform.

Sotero has extensive experience defending critical pharmaceutical data, as demonstrated with the results of our top 10 pharmaceutical client who seamlessly protects sensitive data within collective data sets while maintaining the ability to collaborate and analyze data. Additionally, in depth tracking and monitoring of all access and utilization keeps our client in alignment with the many different regulatory data privacy standards that they must comply with.

With Sotero, companies can be confident that their data is secure and they’re able to control access to sensitive information.

To learn more about Sotero, request a demo today.