2025-05-16 14:14:39 by BusinessLine

In early 2023, Sun Pharma had announced an information security incident. The company reported a breach affecting certain file systems and the theft of company and personal data | Photo Credit: xijian Alkem Laboratories is the latest pharma company to suffer a data breach from intruders. In a disclosure to stock exchanges, Alkem Laboratories informed that a cyber security breach had occurred at Enzene Biosciences Ltd, its wholly-owned subsidiary.The incident involved the compromise of business email accounts belonging to certain employees, resulting in fraudulent transfer of funds. The company stated that the total amount affected by the fraud is currently under investigation. The company has engaged independent external agencies to carry out a thorough inquiry into the breach. In early 2023, Sun Pharma had announced an information security incident. The company reported a breach affecting certain file systems and the theft of company and personal data. While the incident didn’t impact their core systems or operations, Sun Pharma promptly initiated containment, eradication, and recovery measures, including isolating impacted IT assets and the network. The company was investigating the matter and taking appropriate remediation actions, it had then said.Five years ago, Dr Reddy’s Laboratories was forced to shut down all its production facilities across the world, following a data breach reported in its servers. The Hyderabad-based pharma major had confirmed that the cyber security breach was a ransomware attack. The company had engaged leading outside cyber security experts to launch a comprehensive damage-control effort and is in the process of recovering and restoring all data.Ironically, the cyber attack came just days after the pharmaceutical giant received the approval from the Drugs Controller General of India to conduct the phase 2/3 trials of a Russian vaccine in India. Such attacks, however, are not restricted to the pharma sector alone, nor are they India-specific. Across sectors around the world, companies are facing cyber threats.Angel One incidentAngel One, in February, informed the exchanges that it received certain data leakage post alerts via email from its dark-web monitoring partner, informing it of unauthorised access to the client’s data. Some of Angel One’s Amazon Web Services (AWS) resources were compromised. The company said that it immediately changed all related credentials of its AWS cloud and other applications“We value the data privacy of our clients and as an immediate measure, we have engaged an external forensic partner to validate and investigate the impact of this incident and its thorough root cause analysis. We have verified that this breach does not have any impact on clients’ securities, funds and credentials; and all our client accounts remain secure. We continue to investigate this further to assess its potential impact, if any, and are making this disclosure as a matter of good governance.” Angel One’s release added. Global firmsSimilarly, automobile major Toyota (August 2024) and Volkswagen Group (early this year) also faced significant data breach incidents.It appears that the Indian market has largely ignored data breach reports. For instance, share prices of Angel One have jumped over 25 per cent since the announcement came in February. Similarly, Sun Pharma shares nearly doubled in three years after the event. Dr Reddy’s Lab gained nearly 50 per cent since October 2020 (though it was an underperformance compared with over 150 per cent gains of BSE Healthcare index during the period). So, should investors not take data breach news seriously? It is naive to invest or hold shares of companies without understanding the wider implications of cyber threats, including their cascading effects on connected industries, supply chains and consumers. As per current SEBI mandate, details of cyber security incidents or breaches or loss of data or documents should be disclosed in the Corporate Governance Report by the listed entities to the stock exchanges on a quarterly basis. Companies are disclosing such incidents to the exchanges under Section 30 promptly. But follow-up disclosures on how they came out from the incident, what was its actual impact both financially and organisationally, are missing. More such disclosures, along with industry/sector-wide coordinated efforts to check this menace will help all stakeholders across the value chain. Published on May 16, 2025