Novo Nordisk Data Breach — A Two-Layer Pharma Extortion Story

Novo Nordisk Data Breach — A Two-Layer Pharma Extortion Story


Disclosure timeline

Danish pharmaceutical giant Novo Nordisk, the world’s largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials on June 11, 2026. Attackers gained access to internal IT systems and data related to patients participating in some clinical trials, including patient IDs (random alphanumeric strings), trial participation details, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors like smoking, alcohol use, and BMI.

Two distinct exposure categories

Patient data: Novo Nordisk pseudonymized this patient data before the breach took place. Because the records contain no names or direct identifiers, the company believes attackers cannot match the data to specific individuals — identifying a participant would require separate records linking pseudonymized IDs back to real identities, which attackers did not access.

Healthcare professional data: this is the more dangerous half. Unlike the patient data, Novo Nordisk did not pseudonymize any of this information. Exposed details include names, professional registration numbers, email addresses, phone numbers, WhatsApp contacts, and office locations. Novo Nordisk warned affected HCPs to be wary of unexpected messages or calls, as they may be targeted in phishing attacks via e-mail, phone, WhatsApp, or fraudulent messages impersonating their colleagues.

Why this combination matters more than either piece alone

This is the sharpest insight from the incident, and it’s worth dwelling on: Novo split this into a patient data story and a healthcare professional data story, but attackers will read it as one. Trial records are pseudonymized, but the HCP exposure hands attackers names, phone numbers, WhatsApp details, and office locations of the physicians who ran those trials — and those physicians handle the records that connect coded patient IDs to real people. Social engineering a doctor whose WhatsApp number and office address you already have is faster than any statistical de-anonymization attack.

Threat actor and extortion attempt

The incident now appears to have been a $25 million extortion attempt by hack-and-leak group FulcrumSec, a cybercriminal network that emerged at the end of 2025 and specializes in breaching corporate cloud databases on AWS or Azure, downloading sensitive information, then demanding payment to avoid public sale. FulcrumSec claimed it had been accessing Novo Nordisk’s systems since March 2026 using dormant access credentials, and was able to find additional credentials over the following two-and-a-half months — even after Novo Nordisk became aware of the breach — allowing continued data copying.

The group claims to have accessed source code and AI models, proprietary information on marketed and experimental drugs including Amycretin and CagriSema for weight loss and diabetes, and clinical trial data — all of value to rival organizations. After the extortion attempt failed, FulcrumSec has reportedly offered the exfiltrated data for sale via Dark Web channels.

A possible second, separate incident

DataBreaches.net reported being contacted by another individual, going by TheUSERS007, claiming to have lifted data from Novo Nordisk in a second, unrelated cyberattack focused on AI assets. Novo Nordisk has not acknowledged this second breach claim, with a spokesperson stating only that the company is “aware of claims that data allegedly copied externally without authorisation from our systems has been published online” and is in contact with relevant authorities.

Company response

Novo Nordisk took the compromised internal IT systems offline and is working to bring them back online in a controlled and safe manner, while stating that core business operations were not impacted. The company launched an investigation with the assistance of external cybersecurity experts and is working with relevant authorities to assess the scope of the breach.

Risk assessment from security researchers

Pseudonymized clinical trial data can create a false sense of comfort — with life sciences, context around the data matters. Trial participation details, treatment area, demographics, and research attributes can become sensitive when combined with other sources; attackers do not need a complete patient profile to create harm. Even when a breach doesn’t include patient names, attackers may try to reverse-engineer identities by pairing details like birth date, postal code, or gender with outside data sources, and can use partial medical details to build convincing phishing messages or pressure people with deeply personal-feeling information.

Wider pattern

The incident comes amid growing concerns over cyber threats targeting organizations underpinning critical supply chains and public well-being, following recent attacks like the West Pharmaceutical Services ransomware incident that disrupted manufacturing, shipping, and receiving operations in May.

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.