Pharmaceutical giant AstraZeneca has accidentally left a list of credentials online for more than a year, and that, unsurprisingly, led to exposed access to sensitive patient data.
This “user error,” as AstraZeneca describes it, originates from a developer who left the credentials for an AstraZeneca internal server on the code-sharing site GitHub in 2021. Those credentials, according to Mossab Hussein — chief security officer at cybersecurity startup SpiderSilk — then allowed access to a test Salesforce cloud environment which contained some real patient data.
Some of the data found in that Salesforce environment is related to AZ&ME applications, which offer discounts to patients who need medications.
TechCrunch first reported on the issue and provided details of the exposed credentials to AstraZeneca, which then closed the GitHub repository with credentials.
“The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws,” AstraZeneca spokesperson Patrick Barth told TechCrunch in a statement. “Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations.”
It is, however, unclear whether someone managed to get ahold of the patient data and, if that’s the case, what the company will do about it.
For what it matters, AstraZeneca is not the only company that left its credentials unprotected on GitHub. In fact, security researchers from SpiderSilk have previously discovered exposed data belonging to Samsung, Clearview AI, MoviePass and Microsoft.
“This isn’t the first time we’ve come across leaked credentials put on Github by engineers due to human error, and it just keeps happening across the board,” Hussein told TechCrunch. “The risk in these accidental leaks is that they occur randomly, and the exploitation path is often straightforward (i.e., making threat actors’ jobs easier).”
On your end, you can do little if your personal information becomes a subject of a major hack or leak. You can, however, take good online hygiene and be careful when clicking on the web and in your email. And also use a VPN. 😉