A Bug in the Lab

How hackers stole data from my biotech startup by infiltrating a global R&D contractor

I was on an island in Vietnam when I got the alert from the CEO of Charles River Labs, the world’s top R&D contractor: “highly sophisticated and well-resourced intruders” had stolen data from 1% of its clients — including my biotech startup, Nivien Therapeutics.

Image for post

Charles River is a natural target: it handles data from startups like Nivien to giants like Pfizer, which enlist contractors for specialized expertise, capital-intensive infrastructure and experiments that exceed in-house bandwidth.

We worked with several contractors at Nivien: on animal studies, chemical screens, assay development and optimization of our therapeutic candidates. The data and IP from these contracts are the solid gold of biomedical R&D.

The cyberattack exposed the identity of our therapeutic target and potentially valuable structure-activity relationship (SAR) data: how the structures of our molecules affect their function — and therefore their therapeutic application.

Were we still in business, the breach may have jeopardized our endeavor.

However, I’d already disclosed our target in an essay in The Washington Post about ending Nivien after a go/no-go decision point. We’d also patented our best molecules months earlier. For us, the hack doesn’t matter too much.

For other clients, the hack could matter quite a lot.

The mere identity of a drug target pursued by a top pharma company can be worth millions; the chemistry, billions. For startups, SAR data is a core asset.

Fortunately, no files were altered or erased. Charles River closed the breach. How important the copied data turns out to be, and who stole it, is unknown.

What’s certain is that cyberattacks are a growing threat to the industry.

In 2017, Russia deployed malware called NotPetya against Ukraine. The bug also infected Merck, disrupting operations and causing $870M in damages.

Merck’s insurers then refused to cover the loss, claiming the damages resulted from an act of war and were therefore exempt under an obscure legal clause.

Merck sued.

The outcome will be a defining moment for the cybersecurity and insurance sectors, as well as for any company that relies on digital technology in an era when ‘security’ no longer means a guard strolling around with a flashlight.

Image for post

I doubt that Charles River should or maybe even could have done much more to prevent the hack. I will work with them again on future projects, because they provided smart, reliable scientists who did great work for Nivien.

We shared data using encryption, two-factor authentication, password-locked files and a portal only accessible from our lab in SF. Especially after the Merck attack, Charles River’s internal defenses are presumably also state-of-the-art.

Therein lies the problem: if the world’s multibillion dollar R&D companies can’t protect against cyberattacks, what hope is there for the rest of us?

—NBH

Written by

Biotech VC. Director or Observer on the boards of six RA Capital companies. Former CEO of Nivien Therapeutics. My writing does not represent RA Capital.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store