Global pharmaceutical giant AstraZeneca, known for developing a leading Covid-19 vaccine, has fallen victim to a cyber attack orchestrated by the international teenage hacker network Lapsus$, according to multiple posts from the group. The breach, which occurred in March 2026, has raised concerns that confidential software, data, and employee records may have been stolen.
ICO Confirms Incident
The Information Commissioner’s Office (ICO) confirmed the cyber incident after AstraZeneca reported it. A spokesperson stated: 'AstraZeneca made us aware of a cyber incident in March 2026. After assessing the information, we provided guidance, and the case has since been closed with no formal action.' AstraZeneca, a British-Swedish pharmaceutical company valued at billions of dollars, declined to comment on the matter.
Details of the Breach
Lapsus$ claimed responsibility for the attack at the end of March, according to Dark Web posts monitored by cybersecurity experts and hacking trackers. The group alleges it extracted 3GB of data, including source code, employee records, and cloud infrastructure details. The hackers are reportedly attempting to sell the stolen information to the highest bidder. Additionally, Lapsus$ claims to have obtained API Keys, which are unique strings of characters used to grant access to applications or users.
Who Are Lapsus$?
Lapsus$ is an international hacker group infamous for data extortion. It has previously breached major corporations such as Microsoft and Nvidia, shocking the cybersecurity world. The gang is believed to consist mostly of teenagers, with confirmed members from the UK. In 2023, an 18-year-old named Arion Kurtaj from Oxford was found guilty of being part of the network. Lapsus$ employs social engineering tactics alongside computer hacking to gain access to targets, often taunting them publicly and celebrating their crimes online. Microsoft has noted that the group has even listened in on victims' conference calls to monitor breach responses.
AstraZeneca's Global Impact
AstraZeneca gained worldwide recognition for its pivotal role in developing a Covid-19 vaccine distributed to over 170 countries. Headquartered in Cambridge, the company is also engaged in critical healthcare projects, including cancer research and rare disease treatments. The breach comes amid other data security concerns, such as the recent disclosure that details of 500,000 volunteers from the Biobank database were listed for sale online. Technology minister Ian Murray confirmed that the information of all half a million members was found for sale on Alibaba.
