Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data.
Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said.
Some of the data related to AZ&ME applications, which offers discounts to patients who need medications.
TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later.
In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: “The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations.”
Barth declined to say for what reason patient data was stored on a test environment, and if AstraZeneca has the technical means, such as logs, to determine if anyone accessed the data and what, if any, data was exfiltrated.
Credentials, like usernames and passwords, that are exposed or inadvertently published to sites like GitHub are an increasingly common discovery for security researchers like SpiderSilk’s Hussein. In the past few years, the startup has discovered exposed data belonging to Samsung, the controversial facial recognition startup Clearview AI; and the since-rebooted movie subscription service MoviePass. In August, Hussein discovered credentials belonging to Microsoft employees that had been posted inadvertently to GitHub, which Microsoft owns.
“This isn’t the first time we’ve come across leaked credentials put on Github by engineers due to human error, and it just keeps happening across the board,” Hussein told TechCrunch. “The risk in these accidental leaks is that they occur randomly, and the exploitation path is often straightforward (i.e., making threat actors’ jobs easier).”