AstraZeneca Data Breach Allegedly Claimed by LAPSUS$ as Internal Data Access Reported
The notorious hacking collective known as LAPSUS$ has resurfaced, allegedly claiming responsibility for a significant data breach involving multinational pharmaceutical giant AstraZeneca.
The threat actors are reportedly attempting to sell a compressed 3GB internal data dump, indicating a potential compromise of AstraZeneca’s internal network.
LAPSUS$ has previously gained notoriety for high-profile breaches targeting major technology companies, and this alleged attack signals their return to active operations.
To substantiate their claims, the group has posted teasers of the stolen data on illicit forums, detailing the contents of the archive and providing screenshots as initial proof of access.
Instead of their usual public extortion methods, LAPSUS$ appears to be shifting towards a pay-to-access model.
The threat actors are actively encouraging potential buyers to contact them through the secure messaging application Session to negotiate a direct purchase.
Currently, no full leak has been made publicly available for free, suggesting that the group’s primary motive is financial gain through a private sale rather than immediate public pressure.
Furthermore, the attackers have provided prospective buyers with password-protected paste links containing redacted secrets as further evidence of their unauthorized access.
Compromised Assets Breakdown
According to the threat actors’ forum posts, the 3GB data dump contains a wide array of highly sensitive intellectual property and infrastructure configuration details.
Initial assessments of the leaked data structure suggest it is consistent with genuine enterprise exports tied to internal identity and access management systems.
| Asset Category | Compromised Components |
|---|---|
| Source Code | Java Spring Boot applications, Angular frontend frameworks, and various Python scripts . |
| Cloud Infrastructure | Terraform configurations for AWS and Azure environments, alongside Ansible roles used for automation and orchestration . |
| Secrets and Access | Private cryptographic keys, Vault credentials, and authentication tokens related to GitHub and Jenkins CI/CD pipelines . |
To further validate their claims, the attackers released public samples revealing specific internal repository structures and project details.
The exposed directory tree highlights a root folder named AZU_EXFIL, which notably contains a critical supply-chain portal repository identified as als-sc-portal-internal.
This internal portal appears to manage several core logistical functions that are vital to pharmaceutical distribution.
These critical functions include forecasting, inventory tracking, product master data management, SAP system integration, and On-Time In-Full (OTIF) delivery metrics.
The exposure of such detailed operational data suggests that the breach, if proven legitimate, could have far-reaching negative implications for AstraZeneca’s internal supply chain operations.
The presence of accounts with high-level privileges across multiple internal repositories significantly elevates the risk, as it could enable privilege escalation and deeper mapping of the corporate environment.
Despite the severity of these claims and the public sharing of sample data, AstraZeneca has not yet officially commented on the incident.
As of March 20, 2026, no official statement or confirmation has been released by the pharmaceutical company regarding the alleged systems compromise.
Security researchers continue to monitor the situation closely, as the potential exposure of cryptographic keys and cloud infrastructure configurations could allow for further unauthorized access or secondary attacks against the organization.