Charles River Laboratories confirmed a cybersecurity breach today, stating that portions of its IT systems were hacked into last month by intruders who managed to copy a portion of its client data before the company contained the hack.
“While the investigation is ongoing, the company has recently determined that some client data was copied by a highly sophisticated, well-resourced intruder. The number of clients whose data is known to have been copied represents approximately 1% of Charles River’s total number of clients,” Charles River stated in a regulatory filing. “The percentage of clients affected does not necessarily equate to the potential revenue or financial impact related to this incident, which the company has yet to determine.”
In a cybersecurity update to clients posted on its website, Charles River stated that an investigation by federal law enforcement and the company’s own independent cybersecurity experts has determined that “very sophisticated, well-resourced intruders were responsible for this incident.”
“The term ‘sophisticated well-resourced intruders’ is meant to describe a group that we are unable to specifically identify but know, based on expert analysis, is well-resourced, extremely sophisticated, and have been independently targeting multiple organizations,” Charles River added.
The company sought to reassure clients that securing their data, as well as data for its own systems and business, remained a top priority.
“We have closed the known access point for the intrusion and are utilizing highly sophisticated monitoring systems which have not detected any further activity,” Charles River told clients. “We are working with independent cybersecurity experts to ensure that we are doing everything possible, as quickly as possible, to protect the security of our systems.”
Those efforts, Charles River stated in the regulatory filing, include adding enhanced security features and monitoring procedures to further protect its client data.
But the company also cautioned: “While Charles River has taken substantial steps to minimize unauthorized access into its information systems, until its ongoing remediation process is complete, the company will be unable to determine that this incident has been entirely remediated.”
“The company has not observed any further indications of continued unauthorized activity in its information systems,” Charles River said.
One client notified by Charles River is Nivien Therpeutics, a defunct startup that sought to develop a pancreatic cancer treatment candidate targeting Hippo-YAP, a signaling pathway named for the protein kinase Hippo (Hpo) and Yes-associated protein.
“The cyberattack exposed the identity of our therapeutic target and potentially valuable structure-activity relationship (SAR) data: how the structures of our molecules affect their function — and therefore their therapeutic application. Were we still in business, the breach may have jeopardized our endeavor,” Nivien founder and CEO Nathan Brooks Horwitz wrote today in a post on the online publishing platform Medium.
Horwitz detailed the company’s failure in a January 12 article in The Washington Post: “In the end, our preclinical trials failed last summer. Inactivating Hippo-YAP did reduce the proteins protecting cancer, but the magnitude of benefit proved much less than we had hoped. Our initially positive results in mice didn’t translate into data that would save anyone.”
Merck & Co., LabCorp cyberattacks
The cyberattack on Charles River Labs comes nearly two years after the NotPetya network cyberattack that disrupted the manufacturing, research, and sales operations of Merck & Co.—and one year after LabCorp experienced a cyberattack.
In its Form 10-K annual report for 2018, filed February 27, Merck quantified approximately $695 million in impact from the NotPetya cyberattack, consisting of:
- Approximately $260 million in decreased sales in 2017.
- $285 million in manufacturing-related expenses, primarily unfavorable manufacturing variances; in cost of sales; as well as expenses related to remediation efforts in selling, general and administrative expenses, and R&D expenses. That figure is net of approximately $45 million in insurance recoveries.
- Approximately $150 million in decreased sales in 2018.
“Although the aggregate impact of cyber-attacks and network disruptions, including the 2017 cyber-attack, on the company’s operations and financial condition has not been material to date, the company continues to be a target of events of this nature and expects them to continue,” Merck warned in the annual report.
As a result, Merck added, “The company has implemented a variety of measures to further enhance and modernize its systems to guard against similar attacks in the future, and also is pursuing an enterprise-wide effort to enhance the company’s resiliency against future cyber-attacks, including incidents similar to the 2017 attack.”
In July 2018, Laboratory Corp. of America Holdings (LabCorp) disclosed that it had detected suspicious activity on its IT network, and acted within 50 minutes to contain and remove ransomware from its systems.
“The activity was subsequently determined to be a new variant of ransomware affecting certain LCD information technology systems. CDD systems were not directly affected by the ransomware,” LabCorp stated in its 10-K annual report for 2018, filed February 28. “The incident temporarily affected test processing and customer access to test results, and also affected certain other information technology systems involved in conducting company-wide operations. Operations were returned to normal within a few days of the incident.”
LabCorp stated that the cyberattack cost it $22.4 million—a figure that includes $12.6 million in consulting fees and employee overtime during the recovery period, and $9.8 million in estimated lost revenue.