Constella Web Logo white e1703116556868

Constella Research Finds Widespread Cyber Vulnerabilities for Top Global Fortune 500 Pharma Companies

iStock 1300036732

Following the release of Constella Intelligence’s 2021 Identity Breach Report, new and additional findings on exposures, leakages, and cyber breaches within the pharmaceutical (Pharma) sector, specifically focusing on employees and executives from the top twenty Pharma companies found on the Fortune Global 500 list, have been compiled in this industry-specific report which analyzes data from January 2018 through September 2021. Our research directly focuses on cyber vulnerabilities related to the corporate credentials of employees and executives at the pharma companies analyzed.

According to IBM’s 2021 Cost of Data Breach Report, the average cost of a Pharma breach in 2021 was over $5 million—the third-highest behind Financial and Healthcare. Due to the COVID-19 pandemic and the Pharma sector’s critical role in developing life-saving medicines and vaccines, in addition to the sector’s valuable intellectual property and proprietary information, threats and vulnerabilities specific to the industry are intensifying.

Specifically focusing on the multitude of risks engendered by exposed personally identifiable information (PII), Constella’s Pharma Sector Exposures Report: 2018-2021 Digital Risk Findings and Trends examines the digital risks related to circulating corporate credentials of these organizations. These vulnerabilities represent a combination of human-, technology-, and data-centric risks in that these threats exploit personal data while leveraging sophisticated tactics, techniques, and procedures (TTPs) to launch attacks and/or gather sensitive data of employees and executives. The report—which analyzes identity records from data breaches and leakages found in open sources and on the surface, deep, and dark web—identified a total of 9,030 breaches/leakages and 4,549,871 exposed records related to employee corporate credentials.

Our research shows that the volume of total identity records exposed each year for these Pharma companies increased at an alarming rate from 206,475 in 2018 to over 2.5 million in 2020—a trend coinciding with the onset of the pandemic and the public spotlight placed on major Pharma companies

As seen across other major sectors, the accelerated transition towards remote workforces, driven by the pandemic, amid accelerating operational digitization has increased the overall digital footprint of Pharma companies, leading to more significant digital vulnerabilities and risk.

This valuable, sensitive personal data is frequently transacted on the deep and dark web when an employee’s corporate credentials are exposed. Once in circulation online, cybercriminals can acquire and leverage it to execute a wide range of attacks. In this way, the volume of unmonitored exposed corporate credentials directly correlates with an organization’s digital risk. Exposed PII presents numerous additional attack vectors that can lead to critical systems interruption resulting from a data breach or ransomware attack, for example, and in the case of Pharma, resulting in a shortage of life-saving supplies.

As experts in digital risk protection, cyber intelligence, and cybersecurity continue to proactively track and analyze cybercrime targeting the industry, it is vital to raise awareness regarding the principal points of attack. With increasing intensity, threat actors are exploiting vulnerabilities via the personal information of employees and executives. This report explores the ongoing digital threats Pharma companies face while highlighting the prevalence of exposures, leakages, and breaches related to the corporate credentials of executives and employees.

Key Pharma Cyber Vulnerability Report Findings:

  • Constella identified over 4.5M exposed records from nearly 10K breaches and leakages, exposing the corporate credentials of employees from the Top 20 Global Fortune 500 Pharma companies between 2018 and 2021
  • Nearly two-thirds of breaches and leakages in the Pharma sector since 2018 include personally identifiable information (PII), with the most common attributes being email, password, name, username, phone number, address, date of birth, and credit card information.
  • A sample of 78 executives (C-suite profiles) from top Pharma companies found that 58% of executives have had their corporate credentials exposed in a third-party breach or leakage since 2018.
  • Approximately 59% of total breaches and 76% of total exposed records identified since 2018 occurred since 2020, signaling both are escalating in the Pharma sector at an alarming rate.

Cyber Vulnerabilities in Pharma Sector Infographic

What Can Be Done to Protect Employees and Companies?

For all organizations, it is crucial to ensure that proper security and password protocols are adhered to no matter where employees are based, as threat actors aim to take advantage of the risks engendered by new hybrid and remote work models introduced due to the COVID-19 pandemic.

The more websites a corporate email address is used on, the more likely it is that an employee’s information could be exposed. Judicious usage of corporate credentials can make a difference in limiting attack vectors that raise vulnerabilities for employees and their corporate networks.

Moreover, it is imperative that companies safeguard individuals with privileged access to corporate networks and critical infrastructure. Changing passwords frequently, not reusing passwords, limiting sharing of personal information on public social platforms, applying customized privacy settings, and using multi-factor authentication are just a few ways employees can protect their data. However, companies must develop proactive, continuous monitoring programs to remain vigilant of exposed sensitive information and personal data circulating on the social, surface, deep, and dark web that can enable a broad range of cyber risks.

Article written by Jonathan Nelson, Digital Intelligence Specialist at Constella Intelligence


Learn More About Your Organization’s Risk Exposure

Executives and key employees like privileged IT personnel and HR are the new attack vector for cybercriminals as they have top-tier access to sensitive information which can lead to credential theft, account takeover, and a ransomware attack. Surprisingly, most organizations do not recognize a need for employee protection – until it’s too late. Constella Employee Protection helps organizations rapidly identify and remediate threats targeting 1000s of key employees at scale with real-time monitoring, and automated early warning alerts when credentials have been exposed.

Read the full Pharma Exposures Report to learn more.

Try our Exposure Risk Tool to see if you, your company, or your employees have been exposed – FREE.