ExecuPharm, a provider of pharmaceutical clinical research support services, has suffered a data security incident that has reportedly been identified as a CLOP ransomware attack, coupled with a corresponding data leak.
Security experts have expressed concern that cybercriminals will target health care organizations at a time when their services may be needed to help respond to the ongoing COVID-19 pandemic. It was already reported last month that the actors behind Maze ransomware were actively extorting Hammersmith Medicines Research (HMR), a UK-based clinical research organization that’s been preparing to play a potential role in testing vaccine candidates for the novel coronavirus.
Now comes an assault against ExecuPharm – a King of Prussia, Penn.-based subsidiary of biopharmaceutical services company Parexel – which provides the pharma industry with such offerings as clinical monitoring, medical monitoring, site contracts and vendor sight. It is unclear to what extent ExecuPharm is providing services that support COVID-19 research efforts.
An official security notification filed by ExecuPharm with the state of Vermont states that on March 13 company files were encrypted and corporate and personnel information was compromised and potentially accessed.
“As part of this incident, ExecuPharm employees received phishing emails from the unknown individuals. Upon a thorough investigation, ExecuPharm determined that the individuals behind the encryption and the sending of these emails may have accessed and/or shared selection personal information related to ExecuPharm personnel, as well as personal information related to select personnel of Parexel, whose information was stored on ExecuPharm’s data network,” the notification explains.
TechCrunch would later report that the actors behind CLOP published data stolen from the ExecuPharm’s servers as part of an extortion plot based designed to force the company to pay up rather than see sensitive data get leaked.
ExecuPharm has disclosed that stolen employee files included such data as an individual’s social security number, taxpayer ID/EIN, driver’s license number, passport number, back account number, credit card number, national insurance number, national ID number, IBAN/SWIFT number, and beneficiary information.
The company says it has responded to the incident by alerting law enforcement, rebuilding impacted servers from back-up servers, isolating and later restoring affected systems, forcing password resets, and introducing new protective measures including multi-factor authentication for remote access and endpoint protection, detection and response tools. People can see what was in their potentially compromised employee files by contacting [email protected]