AstraZeneca: Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach

LAPSUS$ Claims AstraZeneca Data Breach, Leaks 3GB of Sensitive Internal Data

The threat actor group LAPSUS$ has claimed responsibility for a data breach targeting AstraZeneca, one of the world’s largest pharmaceutical and biotechnology companies. According to posts on hacker forums and the group’s official website, the breach allegedly yielded 3GB of internal data, including source code, cloud infrastructure configurations, employee records, and access credentials.

What Was Allegedly Stolen?

LAPSUS$ claims the stolen data includes:

• Employee-related datasets (names, roles, permissions)
• Source code (Java, Angular, Python)
• Secrets and credentials (private keys, vault data)
• Cloud infrastructure details (AWS, Azure, Terraform configurations)

The group has shared sample files in .tar.gz format to support its claims and is attempting to sell the data to the highest bidder. A screenshot of the forum post displays AstraZeneca branding alongside a negotiation session ID.

Analysis of Leaked Samples

Security researchers at Hackread.com reviewed the sample data, categorizing it into three main groups:

1. GitHub Enterprise User Data

   • Contains employee names, GitHub usernames, roles (including "Owner" privileges), and 2FA status.
   • The structured format suggests authentic internal exports, posing a high risk if genuine exposing access hierarchies and enabling privilege escalation attacks.

2. Third-Party/Contractor Access Data

   • Includes internal user IDs, full names, email addresses, and access logs for external collaborators (e.g., IQVIA, Parexel, Labcorp).
   • The presence of operational comments indicates real internal workflow data, increasing the risk of targeted phishing or social engineering attacks.

3. Generic Financial Data

   • Contains high-level financial statistics (assets, salaries, income) labeled "All industries."
   • Likely public or non-sensitive, included to inflate the sample’s perceived value.

Assessed Impact & Risks

While the GitHub and contractor data appear authentic, the cloud infrastructure and credential claims remain unverified. No direct evidence of secrets or private keys was found in the reviewed samples.

Current Status

As of publication, AstraZeneca has not confirmed the breach, and the claims remain unverified. The company has been contacted for comment, with updates pending. LAPSUS$’s involvement is also unconfirmed, as attribution in cybercrime forums is often unreliable.

Source: https://hackread.com/hacker-group-lapsus-astrazeneca-data-breach/

AstraZeneca cybersecurity rating report: https://www.rankiteo.com/company/astrazeneca

"id": "AST1774045431",
"linkid": "astrazeneca",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Pharmaceutical and Biotechnology',
                        'name': 'AstraZeneca',
                        'size': 'Large',
                        'type': 'Corporation'}],
 'data_breach': {'data_exfiltration': 'Yes (3GB of data allegedly stolen)',
                 'file_types_exposed': ['.tar.gz'],
                 'personally_identifiable_information': ['Employee names',
                                                         'GitHub usernames',
                                                         'Roles',
                                                         'Email addresses',
                                                         'Internal user IDs'],
                 'sensitivity_of_data': 'High (GitHub roles, cloud configs, '
                                        'PII)',
                 'type_of_data_compromised': ['Source code',
                                              'Cloud infrastructure '
                                              'configurations',
                                              'Employee records',
                                              'Access credentials',
                                              'Third-party/contractor access '
                                              'data',
                                              'Generic financial data']},
 'description': 'The threat actor group LAPSUS$ has claimed responsibility for '
                'a data breach targeting AstraZeneca, allegedly yielding 3GB '
                'of internal data including source code, cloud infrastructure '
                'configurations, employee records, and access credentials. The '
                'group shared sample files and is attempting to sell the data.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'data exposure',
            'data_compromised': '3GB of internal data',
            'identity_theft_risk': 'High (employee/contractor PII exposed)',
            'operational_impact': 'Potential privilege escalation, phishing '
                                  'risks, and environment compromise',
            'systems_affected': ['GitHub Enterprise',
                                 'Cloud infrastructure (AWS, Azure)',
                                 'Internal databases']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Yes (attempting to sell '
                                                    'data)'},
 'investigation_status': 'Unverified (AstraZeneca has not confirmed the '
                         'breach)',
 'motivation': 'Financial gain (data sale)',
 'references': [{'source': 'Hackread.com'}],
 'threat_actor': 'LAPSUS$',
 'title': 'LAPSUS$ Claims AstraZeneca Data Breach, Leaks 3GB of Sensitive '
          'Internal Data',
 'type': 'Data Breach'}