Novo Nordisk hackers steal 1.3TB of data after $25M extortion fails

Cyber extortion group FulcrumSec stole more than 1 terabyte of data from Novo Nordisk after the Danish pharmaceutical giant refused to pay a $25 million ransom, the group said Tuesday.

"The incident affected a limited amount of information related to patients participating in some of our clinical trials," Novo Nordisk said in a June 11 breach notice. The company said the stolen data was pseudonymized and could not be directly linked to patients by name or other direct identifiers.

FulcrumSec, a group that emerged in October 2025, said it spent more than two months inside Novo Nordisk's networks after gaining access through a GitHub access token in March. The group stole roughly 1.3 terabytes of data spanning more than 700,000 files, according to DataBreaches.net, which first reported the group's claims on June 14. The stolen data includes company source code, proprietary information on released and unreleased drugs, clinical trial data, internal AI model information, and data related to company production facilities.

The exposed patient data included randomly assigned ID numbers, sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors such as BMI, smoking status, and alcohol use. Novo Nordisk said patient names were not exposed. Healthcare providers had their company names, registration numbers, email addresses, phone numbers, office locations, and WhatsApp details compromised, putting them at risk of phishing or social engineering attacks.

Thomas Willkan, head of research at cybersecurity firm Lab-1 who has closely tracked FulcrumSec, said the hacking group is "usually quite legit in terms of both their capabilities and also their claims."

FulcrumSec said it would not share data on thousands of company employees, physicians, or the roughly 11,500 pseudonymised clinical trial patients as part of what it called a "harm-reduction strategy." The group also said it would withhold operational technology data related to sensors and machinery at Novo Nordisk production facilities. It is now exploring private sales of some of the stolen data related to certain drugs and other internal information.

Novo Nordisk said the cyberattack has had no impact on its core business operations, which remain running. The forensic investigation and data review are ongoing, and the company has not yet determined the number of individuals affected. The incident underscores the growing threat to pharmaceutical companies, which hold valuable intellectual property alongside sensitive clinical and patient data. Investors will watch for any regulatory action from GDPR or HIPAA authorities, as well as potential litigation from affected healthcare providers.

This article is for informational purposes only and does not constitute investment advice.