Hacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach

Summary

Threat actor group LAPSUS$ claims to have breached AstraZeneca and obtained approximately 3GB of sensitive internal data, including source code, employee records, cloud configurations, and contractor access logs. Analysis of leaked samples reveals GitHub Enterprise user data with privilege mappings and third-party contractor access information, though cloud infrastructure credentials remain unverified and attribution is unconfirmed.

Full text

Data Breaches SecurityHacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach LAPSUS$ claims it breached AstraZeneca, offering alleged source code, credentials, cloud configs, and employee data for sale in leaked samples. byWaqasMarch 20, 20263 minute read A threat actor group identifying itself as “LAPSUS$” is claiming responsibility for an alleged data breach involving AstraZeneca, one of the world’s largest multinational pharmaceutical and biotechnology company. The group claims to have obtained approximately 3GB of internal data, including source code, cloud infrastructure configurations, and employee-related information. What the Threat Actor Claims According to a post circulating on a hacker forum and the group’s official website, it alleges access to: Employee-related datasets Full source code (Java, Angular, Python) Secrets and access credentials (private keys, vault data) Cloud infrastructure configurations (AWS, Azure, Terraform) and more… The post includes references to downloadable archives in .tar.gz format and states a total data size of around 3GB. The hackers are attempting to sell the data to the highest bidder and have shared sample files to support their claims. A screenshot with the post displays AstraZeneca branding and a message advertising the data, alongside a session ID for negotiation and a slogan referencing previous breach activity. The group’s post on a hacker forum (Image credit: Hackread.com) Analysis of the Leaked Samples Hackread.com managed to review the sample data, which is divided into 3 main categories: GitHub-related data, third-party data, and financial data. Here are the details of what each category contains and whether the data appears authentic or fabricated. 1. GitHub Enterprise User Data One sample file includes structured records resembling exports from a GitHub Enterprise environment. Fields include: Employee names Cost center references License types (Enterprise) Enterprise roles and permissions Two-factor authentication status GitHub usernames and profile URLs Organization roles (Owner, Member) Assessment: The data structure is consistent with what would be expected from real enterprise exports tied to GitHub or identity and access management systems. Its detailed role mappings throughout multiple internal organizations suggest visibility from inside a corporate environment rather than information gathered through public scraping. The presence of numerous accounts with “Owner” privileges across several repositories also increases the stakes, because if authentic, that kind of access data would be highly sensitive. If genuine, this data could expose internal access hierarchies and enable targeted attacks. 2. Third-Party / Contractor Access Data Another dataset appears to track access requests and onboarding for external collaborators, including: Internal user IDs Full names and email addresses Comments from internal teams Company affiliations (IQVIA, Parexel, Labcorp, etc.) Access status to internal systems (e.g., Confluence) Assessment: This data appears to be an internal access management or onboarding log, containing personally identifiable information along with details about organizational relationships. The inclusion of operational comments points to genuine internal workflow data rather than fabricated content. Given the nature of the information, the risk level can be considered moderate to high, as exposure of contractor relationships and access systems could be used to support targeted social engineering campaigns. 3. Generic Financial Data A third dataset contains high-level financial statistics labeled “All industries” with fields such as: Assets Salaries Total income Expenditure Assessment: This data appears to consist of public or generic statistical information rather than anything specific to AstraZeneca. It was likely included to increase the volume of the sample or distract from more relevant data. As such, it carries a low risk level, with no clear sensitivity or direct connection to AstraZeneca’s operations. The group’s post on its own website (Image credit: Hackread.com) Sensitivity of the Alleged Data Data TypeSensitivityImpactGitHub enterprise rolesHighPrivilege escalation, internal mappingEmployee / contractor dataModerate to HighPhishing, social engineeringCloud infrastructure configs (claimed)CriticalFull environment compromiseGeneric financial dataLowNo direct risk If the claimed “secrets and access” data is real, that would represent the most severe risk, though no direct evidence of such material is present in the samples reviewed. However, attribution in cybercrime forums is unreliable, and the use of the name does not confirm the group’s involvement. At the time of writing, these claims remain unverified. We have reached out to AstraZeneca for confirmation or comment. We will update this story if and when the company responds. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AstraZenecaCyber AttackCybersecuritydata breachHealthcareLapsusLEAKSMedical Leave a Reply Cancel reply View Comments (0) Related Posts News Security Surveillance Windows 10 Technical Preview: A Spy in Disguise? Windows 10 Technical Preview (TP), a trial version released last week, collects and transmits lots of user data… byPushpa Mishra Read More Security Cyber Attacks Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the… byDeeba Ahmed Phishing Scam Security New smishing scam spreads fake TikTok App loaded with malware The smishing scam is targeting TikTok app users and fans in... byDeeba Ahmed Read More Security Blockchain Crypto Scams and Fraud Pink Drainer Posed as Journalists, Stole $3M from Discord and Twitter Users Pink Drainer hacking group has been employing sophisticated social engineering techniques, often masquerading as journalists from reputable media outlets like Decrypto and Cointelegraph. byHabiba Rashid

Indicators of Compromise

• malware — LAPSUS$