Bayer and 12 other major drug companies caught up in Cencora data loss

Plus: US water systems fail at cyber security

Infosec in brief More than a dozen big pharmaceutical suppliers have begun notifying people that their medical records were stolen when US drug wholesaler Cencora was breached in February.

The $250-billion firm – formerly known as AmerisourceBergen – partners with some of the largest pharma dealers, including GlaxoSmithKline, Novartis, Genentech, Bayer, Regeneron and Bristol Myers Squibb.

Late last week, the abovementioned companies and at least seven others began reporting data losses to the California Attorney General. All of the pharma giants attributed the theft of patient data to the earlier Cencora breach.

"Based on our investigation, personal information was affected, including potentially your first name, last name, address, date of birth, health diagnosis, and/or medications and prescriptions," the notifications read [PDF].

"There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this to you so that you can take the steps outlined below to protect yourself," the missives continued.

In an SEC Form 8-K filing submitted in February 2024, Cencora revealed it discovered the IT system intrusion on February 21, and that the exfiltrated data "may contain personal information."

"As of the date of this filing, the incident has not had a material impact on the company's operations, and its information systems continue to be operational," it continued. "The company has not yet determined whether the incident is reasonably likely to materially impact the company's financial condition or results of operations."

Cencora has yet to file an updated Form 8-K and did not immediately respond to The Register's questions.

It's unclear how many individuals' personal and health details were stolen. The California AG doesn't require hacked companies to disclose that figure.

Critical vulnerabilities of the week: More Chrome exploitation

Google last week fixed the eighth Chrome zero-day it has found under exploit this year – its third such fix in the last two weeks – so let's start there.

CVE-2024-5274 is a high-severity type confusion flaw in the V8 JavaScript engine. Google Threat Analysis Group's Clément Lecigne and Chrome Security Brendon Tiszka spotted the bug.

"Google is aware that an exploit for CVE-2024-5274 exists in the wild," according to the advisory.


  • CVSS 9.3 – Multiple CVEs: AutomationDirect Productivity PLCs have a series of flaws that could lead to remote code execution and denial of service.
  • CVSS 8.5 – CVE-2024-5040: LCDS LAquis SCADA have path traversal issues that could allow criminals to read and write files.

CVSS 8.1 – Multiple CVEs: VMware storage controllers on ESXi, Workstation and Fusion have an out-of-bounds read/write vulnerability that can be exploited for denial-of-service attacks or code execution on the hypervisor.

70 percent of US water systems washing out on security

Default passwords and single logins for staff abound at facilities that produce the USA’s drinking water, according to the Environmental Protection Agency (EPA), which found more than 70 percent of the systems inspected since September fail to meet security standards.

"Cyber attacks against [community water systems] are increasing in frequency and severity across the country," the EPA warned in an enforcement alert.

"Based on actual incidents we know that a cyber attack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers," the agency added.

Plus, as the feds and private-sector threat hunters have repeatedly pointed out: cyber criminals from Russia, China and Iran have all broken into US water systems over the past 12 months.

In light of these very serious security shortcomings, the EPA, FBI and US Cybersecurity and Infrastructure Security Agency (CISA) "strongly recommend" water system owners and operators take a series of actions outlined in Top Actions for Securing Water Systems. There's free assistance available, too, via the EPA's Cybersecurity Technical Assistance Form.

Nissan's very bad year gets worse

Nissan's string of security SNAFUs continued after Nissan Oceania reported that the cyber incident call center it set up to respond to an earlier ransomware attack has exposed those same customers' personal info

In December, the Akira ransomware gang broke into Nissan Oceania's networks and stole personal information belonging to more than 100,000 people in Australia and New Zealand.

On May 21, the car manufacturer disclosed that OracleCMS, the third-party supplier it used to manage the cyber incident call center, was hit with its own data incident.

"Unfortunately, some Nissan customer, staff and other stakeholder information, which OracleCMS held on its systems to be able to answer incoming queries, was compromised during the incident," Nissan Oceania admitted.

Specifically: stolen data may include names, contact details, dates of birth and a summary description of the information in the Nissan cyber incident notification letters. "No identity documents, copies of documents or ID numbers were affected," we're told.

"We understand this news will be especially disappointing given people have already had their personal information compromised," the notice continued.

This latest mess came about a week after the automaker disclosed the theft of personal information belonging to more than 50,000 Nissan employees. ®

More about


Send us news

Other stories you might like