AstraZeneca Password Lapse Exposed Patient Data

An anonymous reader quotes a report from TechCrunch: Pharmaceutical giant AstraZeneca has blamed "user error" for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said. Some of the data related to AZ&ME applications, which offers discounts to patients who need medications. TechCrunch provided details of the exposed credentials to AstraZeneca, and the GitHub repository containing the credentials was inaccessible hours later. In a statement, AstraZeneca spokesperson Patrick Barth told TechCrunch: "The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws. Due to an [sic] user error, some data records were temporarily available on a developer platform. We stopped access to this data immediately after we have been [sic] informed. We are investigating the root cause as well as assessing our regulatory obligations." It's unclear if anyone was able to access the data, or if any data was exfiltrated.

Read more of this story at Slashdot.