AstraZeneca logo

AstraZeneca leaked a password that gave access to patient data

Pharmaceutical giant AstraZeneca accidentally left a list of credentials online for more than a year that gave access to sensitive patient data. A developer left the credentials for an AstraZeneca internal server on code sharing site GitHub.

The credentials allowed access to a test Salesforce cloud environment which would have been a minor incident if the test environment didn’t contain real patient data.

The credentials were found a by a security researcher who contacted online newspaper TechCrunch. In turn, TechCrunch provided details of the exposed credentials to AstraZeneca. AstraZeneca made the data inaccessible and told TechCrunch that due to a user error, some data records were temporarily available on a developer platform.

AstraZeneca said it is investigating the root cause and assessing its regulatory obligations.

The data

Some of the data is related to AZ&ME applications, which offer discounts to patients who need medication. For patients that have been prescribed an AstraZeneca medication and can’t afford it, AZ&ME may be able to help. People that want to be eligible for the prescription savings program are asked to provide some personal information as well as details about their doctor, health insurance, and income.

AstraZeneca said it was only a limited set of patient data, but at this point it is unclear if it was accessed by anyone with ulterior motives, or whether AstraZeneca has any logs that show other access to the data.

Secrets

Developers often need to create test environments so they don’t have to apply changes in the live environment. To make the tests as close to reality as possible, the developer decided to copy a chunk of actual patient data.

Although code sharing sites, like GitHub, offer several options to store developer, and other credentials so that nobody can find them, this is often forgotten and developers end up committing secrets to public repositories.

Secret managers

To avoid inadvertently sharing secrets on a public repository, developers can use secret managers. Secret managers are separate programs or parts of a platform that store and inject secrets back into developers’ programs on demand.

Secret managers can easily be synced by and to developers of the company and can help to avoid unauthorized access to the secrets. Many organizations, however, struggle to find one that fits into their workflow and infrastructure.

For such organizations it might be helpful to know that it’s possible to store sensitive information as encrypted secrets. For secrets stored at the organization level, it is possible to use access policies to control which repositories can use organization secrets. GitHub allows you to store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.