Press Release: Europe’s top 10 pharma manufacturers all have vulnerable web applications

Outpost24 research reveals EU pharmaceutical companies including Valium producer, Roche Pharmaceuticals, vaccine manufacturer Sanofi and COVID-19 Vaccine creators AstraZeneca all showed web application vulnerabilities

London, 9 November, 2021 – Outpost24, an innovator in identifying and managing cybersecurity exposure, today announced the results of its 2021 Web Application Security for Healthcare report for the top 10 European pharmaceutical organizations, as ranked by Drugs Discovery and Development based on annual revenue, R&D spend, employee numbers, leadership and more.

Using Outpost24’s external attack surface management tool, the study evaluates the digital footprint of the Top 10 pharmaceutical organizations in the EU by discovering their internet facing web services and scoring the security exposure identified. Nearly 80% of organizations studied were over what Outpost24 consider as ‘critically exposed’ – above 30, indicating a high susceptibility to have security vulnerabilities presented externally for potential exploits. The findings revealed that the top EU pharmaceutical organizations run an exceptionally large amount of web applications compared to other industries, with 3% of them considered suspicious (e.g., test environments that should’ve be removed), and a further 18% using outdated components containing known vulnerabilities.

In the wake of the pandemic, the pharmaceutical and healthcare industry have become “big game” targets for cybercriminals, with by far the highest cost of data breach and prime examples including: COVID-19 vaccine producer, Pfizer/BioNTech, where thousands of sensitive information was leaked, recent targeting of ExecuPharm in March 2020 by nation state TA505 using Clop ransomware and the devastating impact on patients in the Springhill Medical Centre IT system attack.

Outpost24’s latest report examined the unique attack surface of pharmaceutical applications, highlighting how the pandemic has exacerbated cyber risk and presenting practical recommendations for mitigation.

Key Findings:

  • Within the Top EU pharmaceutical organizations, 18% are running on old components containing known vulnerabilities
  • EU pharma organizations run a staggering 20,394 web applications over 9,216 domains which is the region’s largest digital footprint across Retail, Credit Unions, and Insurance companies, with 3.3% considered to be suspect.
  • Amongst the 7 most targeted attack vectors in web applications, Degree of Distribution (78.96), Page Creation Method (73.8) and Active Content (72.7) are the top 3 attack vectors identified
  • More than 200 EU pharmaceutical applications have unencrypted login forms putting clients and patients at risk of data exposure.

The report also highlights several other security and compliance issues including basic SSL, cookie settings, and privacy policy defects. Many of the attack vectors identified are easily fixable and could make a significant difference to reducing the risk of cyber-attacks and protecting critical patient information, intellectual property for new drugs and vaccines.

“As the attack surface and trade secrets that pharmaceutical organizations process become more pertinent, it will give threat actors more reasons and motivations to step up malicious attacks for profit and put public health at risk.” Nicolas Renard, Security Researcher at Outpost24.

“This research highlights the complexity of modern-day pharmaceutical and healthcare applications and the vast volume exposed on the Internet,” said Stephane Konarkowski, Security Consultant at Outpost24. “These results demonstrate how crucial it is for the industry to review their external footprint and vulnerability exposure to improve security hygiene in the face of the ransomware pandemic.”

About Outpost24

The Outpost24 group helps organizations limit their digital exposure with a complete range of cyber risk management solutions. Outpost24’s cloud platform unifies asset inventory, automates security assessments, and quantifies risk in business context. Executives and security teams around the world trust Outpost24 to prioritize the most important security issues across their entire IT infrastructure for accelerated risk reduction. Founded in 2001, Outpost24 is headquartered in Sweden, with additional offices in the US, the UK, the Netherlands, Belgium, Denmark, France, and Spain.