Cyber Incident Victim: Novo Nordisk

Novo Nordisk disclosed a cybersecurity incident on June 11, 2026, stating that data had been copied externally without authorization from a limited number of its internal IT systems, including patient information. The company said the breach was identified after detecting unauthorized access and notified affected individuals that the exfiltrated data was pseudonymized and could not be directly linked to patients without additional information. Two days later, on June 13, the hack‑and‑leak group FulcrumSec claimed responsibility for the attack, telling DataBreaches.net that it had gained entry to Novo Nordisk’s network in March using dormant access credentials and had continued to collect credentials over the following two‑and‑a‑half months, even after the company became aware of the breach. FulcrumSec asserted that it accessed the environment through a GitHub access token that allowed it to clone internal repositories and subsequently harvest further credentials.

According to FulcrumSec, the exfiltrated dataset comprised roughly 1.3 terabytes of data, evidenced by a list of over 700,000 files, and included source code, proprietary information on marketed and experimental drugs such as Amycretin and CagriSema, clinical trial data from the SELECT, FLOW, SOUL, FOCUS and ONWARDS studies, pseudonymized information on approximately 11,500 research subjects, and data on healthcare professionals and company employees. The group demanded a $25 million ransom, stating that after Novo Nordisk refused to pay it began exploring private sales of certain drug‑related and internal data while indicating it would withhold employee, physician and patient data as well as operational technology information as part of a harm‑reduction strategy. Novo Nordisk responded by saying it was aware of claims that data allegedly copied externally without authorization from its systems had been published online, that it took the matter seriously, maintained continued operation of its main platforms, and remained in contact with the relevant authorities. The company also warned patients that hackers had accessed its internal IT systems and exfiltrated certain clinical‑trial data, reiterating that the stolen information was pseudonymized and could not be directly tied to patient identities.

FulcrumSec further told DataBreaches.net on June 14 that it had shared purported correspondence with Novo Nordisk beginning June 1, which included a list of more than 700,000 files amounting to about 1.3 terabytes, as proof of its possession. The group said that Novo Nordisk representatives contacted it on June 3, roughly 48 hours after FulcrumSec’s initial outreach to unnamed company executives, and that the company used a random Proton Mail address to request specific files only Novo Nordisk could verify. While FulcrumSec claimed the attack was separate from any other intrusion, an individual using the handle TheUSERS007 alleged a second, unrelated cyberattack focused on Novo Nordisk’s AI assets, a claim that Novo Nordisk has not publicly acknowledged. At the time of the reports, Novo Nordisk had not appeared on FulcrumSec’s Tor‑based leak site, and the group indicated it preferred to open‑source the data as a deterrent rather than sell it, though it continued to explore private sales for certain datasets.