Skip to main content

Press Release: Europe’s top 10 pharma manufacturers all have vulnerable web applications

09.Nov.2021
Outpost24 research reveals EU pharmaceutical companies including Valium producer, Roche Pharmaceuticals, vaccine manufacturer Sanofi and COVID-19 Vaccine creators AstraZeneca all showed web application vulnerabilities

London, 9 November, 2021 - Outpost24, an innovator in identifying and managing cybersecurity exposure, today announced the results of its 2021 Web Application Security for Healthcare report for the top 10 European pharmaceutical organizations, as ranked by Drugs Discovery and Development based on annual revenue, R&D spend, employee numbers, leadership and more.

Using Outpost24’s external attack surface management tool, the study evaluates the digital footprint of the Top 10 pharmaceutical organizations in the EU by discovering their internet facing web services and scoring the security exposure identified. Nearly 80% of organizations studied were over what Outpost24 consider as ‘critically exposed’ – above 30, indicating a high susceptibility to have security vulnerabilities presented externally for potential exploits. The findings revealed that the top EU pharmaceutical organizations run an exceptionally large amount of web applications compared to other industries, with 3% of them considered suspicious (e.g., test environments that should’ve be removed), and a further 18% using outdated components containing known vulnerabilities.

In the wake of the pandemic, the pharmaceutical and healthcare industry have become “big game” targets for cybercriminals, with by far the highest cost of data breach and prime examples including: COVID-19 vaccine producer, Pfizer/BioNTech, where thousands of sensitive information was leaked, recent targeting of ExecuPharm in March 2020 by nation state TA505 using Clop ransomware and the devastating impact on patients in the Springhill Medical Centre IT system attack.

Outpost24’s latest report examined the unique attack surface of pharmaceutical applications, highlighting how the pandemic has exacerbated cyber risk and presenting practical recommendations for mitigation.

Key Findings:

  • Within the Top EU pharmaceutical organizations, 18% are running on old components containing known vulnerabilities
  • EU pharma organizations run a staggering 20,394 web applications over 9,216 domains which is the region’s largest digital footprint across Retail, Credit Unions, and Insurance companies, with 3.3% considered to be suspect.
  • Amongst the 7 most targeted attack vectors in web applications, Degree of Distribution (78.96), Page Creation Method (73.8) and Active Content (72.7) are the top 3 attack vectors identified
  • More than 200 EU pharmaceutical applications have unencrypted login forms putting clients and patients at risk of data exposure.

The report also highlights several other security and compliance issues including basic SSL, cookie settings, and privacy policy defects. Many of the attack vectors identified are easily fixable and could make a significant difference to reducing the risk of cyber-attacks and protecting critical patient information, intellectual property for new drugs and vaccines.

“As the attack surface and trade secrets that pharmaceutical organizations process become more pertinent, it will give threat actors more reasons and motivations to step up malicious attacks for profit and put public health at risk.” Nicolas Renard, Security Researcher at Outpost24.

“This research highlights the complexity of modern-day pharmaceutical and healthcare applications and the vast volume exposed on the Internet,” said Stephane Konarkowski, Security Consultant at Outpost24. “These results demonstrate how crucial it is for the industry to review their external footprint and vulnerability exposure to improve security hygiene in the face of the ransomware pandemic.”

To view the research and a full breakdown of the most prolific vulnerabilities reported within European pharmaceutical organizations, visit here.

About Outpost24

Outpost24 is a leading cyber assessment company focused on enabling its customers to achieve maximum value from their evolving technology investments. By leveraging our full stack security insights to reduce attack surface for any architecture, Outpost24 customers continuously improve their security posture with the least effort. Over 2,000 customers in more than 40 countries around the world trust Outpost24 to assess their devices, networks, applications, cloud and container environments and report compliance status for government, industry sector, or internal regulations. Founded in

2001, Outpost24 serves leading organizations across a wide range of segments including financial and insurance, government, healthcare, retail, telecommunications, technology, and manufacturing.

Looking for anything in particular?

Type your search word here