Intern sues Fujifilm Diosynth over alleged data breach exposing employee records

The Fujifilm Diosynth data breach lawsuit

When Raleigh resident Grant Johnson signed on for a summer internship at North Carolina-based Fujifilm Diosynth Biotechnologies, he may have expected hands-on experience with the science of manufacturing medicines, but it’s unlikely he expected his name, Social Security number, and other personal details to end up in the hands of unknown hackers.

In a federal lawsuit filed November 7, 2025, Johnson has accused the biotech manufacturer of failing to secure its internal systems against a breach that allegedly compromised sensitive information belonging to current and former employees. The complaint, filed in the Middle District of North Carolina, claims Fujifilm Diosynth discovered that unauthorized individuals had accessed its network but failed to promptly notify those affected.

The company did report the incident to the Attorneys General of Texas and Massachusetts, and possibly other states, as required by data breach laws. Public records show Texas published the filing on October 24, 2025, while Massachusetts posted a sample consumer notice later that month. Johnson argues that the company’s delay in notifying employees past and present worsened the harm, limiting their ability to protect themselves from identity theft.

“As soon as someone becomes aware their data has been breached, they can initiate a security freeze with credit reporting agencies,” said Kieran Human, ThreatLocker Security Enablement Lead. “They should enable multi-factor authentication everywhere possible.”  

Johnson’s complaint accuses an otherwise trusted biotech contractor of negligence, violations of Federal Trade Commission data protection standards, unjust enrichment, and breach of implied contract. The proposed class action seeks damages, restitution, and injunctive relief intended to improve the company’s cybersecurity.

The lawsuit highlights a growing vulnerability in the biotech industry. Companies that work with both sensitive research and personal data are often prime targets for cybercrime.  

Biotech becomes a prime target for cyberattacks

Biotech companies hold a great deal more than employee files. They also hold regulatory submissions, clinical data, and trade secrets that attract criminal and state-sponsored actors.

Real-world examples of cyberattacks targeting biotech firms

State-backed intrusions targeting vaccine and research data

In July 2025, U.S. and Italian authorities announced the arrest of Xu Zewei, a contractor alleged to work with China’s state security services, for hacking into U.S. universities and biomedical researchers. The Department of Justice said Xu exploited vulnerabilities in Microsoft Exchange servers between 2020 and 2021, installing web shells that allowed persistent access to email accounts and research databases. The campaign focused on vaccine, therapeutic, and testing data related to COVID-19, targeting immunologists and virologists across multiple states.  

Investigators traced the intrusions to infrastructure tied to the HAFNIUM group, previously linked to Chinese state hacking operations. The indictment charged Xu with wire fraud, unauthorized computer access, and aggravated identity theft. The operation blended conventional cybercrime with espionage, harvesting research from academia before publication.

Insider theft and intellectual property espionage in biotech

In 2022, prosecutors secured sentences against Racho Jordanov, the co-founder and former Chief Executive Officer of JHL Biotech, and Rose Lin, another of the company’s co-founders and former Chief Operating Officer, for conspiring to steal trade secrets from a competitor. The pair recruited Genentech scientist Xanthe Lam to secretly consult for JHL while still employed at Genentech, and she funneled confidential procedures and tech transfer materials to JHL from 2011 to 2019, a classic case of insider theft.  

Among the trade secrets stolen were Genentech’s confidential manufacturing and technology-transfer documents for blockbuster biologics including Rituxan, Herceptin, and Avastin. These files detailed cell-culture processes, purification steps, standard operating procedures, process-implementation plans, and quality-control protocols that Genentech used to scale and certify production. Prosecutors said the trove also included technology-transfer agreements, regulatory documentation, and plant-startup blueprints that described how to replicate Genentech’s FDA-approved systems in another facility. According to court records, JHL employees used these documents to create roughly 90 to 100 standard operating procedures and to prepare their own plants for good-manufacturing-practice certification.

North Korea’s persistent targeting of pharmaceutical R&D

In February 2021, South Korea’s National Intelligence Service briefed lawmakers that North Korean hackers had attempted to steal vaccine and treatment data from Pfizer. Legislator Ha Tae-keung publicly confirmed that the hackers sought COVID-19 research files, and Reuters later verified the statement through official channels.  

Although the attack vector was never disclosed, analysts believe the operation involved phishing and credential harvesting consistent with other North Korean campaigns. Authorities did not confirm whether the attempt succeeded, but the revelation reflected Pyongyang’s strategy of targeting pharmaceutical and biotech companies to accelerate its own medical research. The lack of technical disclosure left one clear truth: state-backed actors had identified vaccine R&D as a new front for cyber-espionage.

Regulators under attack: Lessons from the EMA breach

In December 2020, the European Medicines Agency (EMA) announced it had been hacked, exposing confidential Pfizer-BioNTech vaccine review documents stored on its servers. Investigators said unauthorized users accessed regulatory submission files, internal correspondence, and portions of clinical-evaluation data.  

Portions of the stolen material appeared online a month later, showing redacted technical details about the vaccine’s composition and quality controls. While EMA did not release forensic details, cybersecurity researchers in the Netherlands attributed the breach to Russian state-backed actors using phishing and credential theft to reach regulatory networks. The breach showed how adversaries sometimes skip the company and go straight for the regulator that holds the same information.

Social engineering in research: The AstraZeneca recruiter attacks

In 2020, cybersecurity investigators uncovered a North Korean campaign that targeted researchers at AstraZeneca during the race to develop COVID-19 vaccines. The attackers posed as recruiters on LinkedIn and WhatsApp, sending fake job descriptions embedded with malicious code. These weaponized files, disguised as Microsoft Word documents, were designed to infect victims’ computers and provide remote access to internal systems.  

According to Reuters, the targets included AstraZeneca staff working directly on coronavirus research. While no confirmed breach of vaccine data was reported, the operation demonstrated how social engineering is utilized to bypass secure firewalls by exploiting trust between professionals. The incident illustrated a modern espionage tactic: infiltrating scientific organizations not with code-breaking but with career opportunities that conceal malware.  

Strengthening security across research and operations

Agnostic cybersecurity hardening checklist

1. Identity and access management

• Enforce multi-factor authentication (MFA) for all administrative and remote accounts.
• Use least privilege principles; remove legacy and shared credentials.
• Review directory permissions quarterly for both local and federated identities.
• Segment regulator-facing or compliance systems behind separate identity providers.

2. Endpoint and server protection

• Apply application allowlisting or other execution control to prevent unauthorized code.
• Keep all OS and application patches current, including VPNs and remote access software.
• Disable unused services (FTP, RDP, SMBv1) to shrink the attack surface.
• Monitor for unsigned or sideloaded executables, especially in document processing workflows.

3. Email and phishing defense

• Deploy anti-phishing and sandboxing for attachments and links.
• Tag external emails and train staff to identify credential-harvest attempts.
• Implement DMARC, SPF, and DKIM to authenticate your own outgoing messages.

4. Network segmentation and monitoring

• Separate R&D, regulatory submission, and corporate IT networks.
• Use firewall rules to block east-west traffic except where necessary.
• Deploy network detection and response (NDR) tuned for lateral movement and exfiltration patterns.
• Log DNS, proxy, and authentication events to a SIEM for correlation.

5. Data governance and encryption

• Encrypt sensitive documents at rest and in transit, including staging and submission servers.
• Apply role-based access controls to regulatory folders and submission archives.
• Use digital-rights management (DRM) for intellectual property shared with regulators.
• Implement data-loss prevention (DLP) tools to block uploads of proprietary files to external sites.

6. Incident response and resilience

• Maintain offline, immutable backups of submission data.
• Run quarterly tabletop exercises simulating credential theft and phishing.
• Document and test escalation paths to legal and communications teams.
• Store forensic logs centrally for 90 days or longer for post-incident review.

ThreatLocker Zero Trust hardening checklist for biotech and research organizations

1. Application control

• Deploy ThreatLocker Application Allowlisting in default-deny mode across endpoints that handle regulatory or submission data.
• Approve only verified applications such as PDF editors, document-signing tools, and secure transfer utilities.
• Use the Learning Mode briefly to populate baselines, then switch to enforcement.
• Block execution of all unsigned or unapproved binaries, including those embedded in email attachments.

2. Ringfencing

• Configure Ringfencing policies so allowed apps cannot access PowerShell, command interpreters, or network drives unless explicitly required.
• Deny inter-process communication between office applications and browsers to stop macro or script-based credential theft.
• Restrict outbound network destinations for critical applications to defined IP ranges or URLs (e.g., regulatory portals only).

3. Storage control

• Enable Storage Control to block unauthorized USB devices or external media.
• Allow only encrypted, company-issued drives with audit logging enabled.
• Restrict write permissions on mapped network shares containing clinical or regulatory data.

4. Network and privilege integration

• Tie ThreatLocker policies to Active Directory groups so that privilege reductions follow user roles automatically.
• Combine ThreatLocker policies with MFA and privileged access management (PAM) solutions for admin accounts.
• Use ThreatLocker Elevation Control to require just-in-time approval for privileged actions.

5. Monitoring and response

• Enable Audit Mode reporting for new or blocked applications to identify anomalies.
• Integrate logs with a SIEM for real-time alerting on policy violations or denied executions.
• Regularly review ThreatLocker Insights to track trends in denied network connections or unexpected processes.

6. Business continuity

• Maintain a cloned ThreatLocker policy export offline for disaster recovery.
• Schedule automatic cloud backups of configuration data.
• Document restoration procedures so ThreatLocker enforcement can resume quickly after a system rebuild.

Frequently asked questions

Who filed the lawsuit against Fujifilm Diosynth Biotechnologies?
The lawsuit was filed by Grant Johnson, a former summer intern, who alleges that Fujifilm Diosynth failed to secure employee data after a 2025 breach.

What information was exposed in the Fujifilm Diosynth breach?
The alleged breach involved names, Social Security numbers, and other personal details of employees and former workers.

Why is the biotech industry a frequent target of cyberattacks?
Biotech companies manage valuable research, regulatory data, and intellectual property, making them prime targets for espionage and ransomware.

What cybersecurity measures reduce risk in biotech environments?
Use multi-factor authentication, segment R&D systems, enforce least privilege, and monitor for unauthorized access to safeguard data.

How does ThreatLocker help prevent similar breaches?
ThreatLocker applies Zero Trust security, Application Allowlisting, Ringfencing™, and Network/Storage Controls to stop ransomware and lateral movement.