RSS

FulcrumSec Leaks Novo Nordisk Data After $25M Demand Goes Unpaid

dbcooper1 pts0 comments

Scoop: FulcrumSec Leaks Novo Nordisk Data After $25M Demand Goes Unpaid (2) - DataBreaches.Net

Menu

Danish pharma giant Novo Nordisk disclosed a cybersecurity incident last week, and although the firm’s name may not be familiar to everyone, they are a major producer of insulin and semaglutide. Semaglutide is marketed as Wegovy for weight loss and Ozempic for Type 2 diabetes.

In its June 11 update, the firm stated that the incident affected a limited amount of information related to patients participating in some of its clinical trials. As they described it, the information was pseudoanonymized, i.e., the information was not directly linked to any patients by name or other direct identifiers:

Information about identity would therefore require access to underlying information, identifying patients by name etc. This information was not exposed. We therefore do not consider the incident to enable any third party to identify participants in our clinical trials. This communication serves as information only and there is no need for our patients to take any specific action as a result of the incident.

The involved categories of personal data about affected patients include the following:

Patient ID (random alphanumeric string) and information on trial participation

Sex

Year of birth

Biomarkers

Health/immunogenicity data

lifestyle factors, e.g. smoking, alcohol use, BMI

For the benefit of readers who may be unsure what "pseudoanonymized" really means: it means that somewhere there is a master key that contains the patients’ real names and could tie the recorded measures to their real identities.

In this case, it means that the attackers did not get the master key. But what would happen if other attackers or a rogue insider acquired the master key later? Any data leaked now might eventually be tied to real identities – either by a master key or by combining it with other datasets.

FulcrumSec Claims Responsibility

The hack-and-leak group known as FulcrumSec contacted DataBreaches on June 13 to claim responsibility for the incident.

According to information provided to DataBreaches, FulcrumSec first gained access to Novo Nordisk’s network in March, after finding an "exposed high-priv GitHub personal access token in client-side JS on an obscure subdomain. We cloned these repos and searched for additional credentials to move laterally. We found them, and kept finding them in the new data, and kept spidering through their systems in this fashion."

DataBreaches routinely asks threat actors whether their victims detected them and were able to kick them out. In this case, FulcrumSec answered that Novo Nordisk "were very slow; we had completed exfiltration long before they rotated any credentials. And we kept finding more interesting live creds weeks after they noticed and killed the Github token we used initially. We found the CDD vault, for example, after they knew about the breach but didn’t think to rotate those creds. They never even realized we had compromised their Okta or HuggingFace accounts."

Overall, FulcrumSec was highly critical of Novo Nordisk’s security:

It was absolutely catastrophic given their stature and access to resources. So terrible that it would also be shockingly bad if they were a ~20m ARR startup. It boggles the mind. We’ve run into tiny companies that detect us within 24 hours, with maybe .01% of the resources Novo has.

Some might suspect that this was just sour grapes on FulcrumSec’s part as they did not get paid, but FulcrumSec told DataBreaches that they estimate they were in Novo Nordisk’s systems for about 2 1/2 months. "They rotated the first GitHub creds sooner than that, but I think even those were active for a month or so." FulcrumSec’s spokesperson stated.

Because Novo Nordisk declined to provide any additional information at this time, DataBreaches was unable to determine whether it would confirm or refute FulcrumSec’s statements regarding access and their incident response.

Patient Data

According to both Novo Nordisk and FulcrumSec, there was a relatively small amount of patient/research participant data in the exfiltrated data. Approximately 11,500  research participants had pseudoanonymized clinical trial records obtained. The patient/participant data was connected to clinical trials that included:

The SELECT trial, which compared once-weekly subcutaneous semaglutide with placebo to prevent major adverse cardiovascular events over up to 5 years. The vast majority (about 11,o00) were from this trial. For the 1,370 participants who stopped treatment, about 1,067 did so due to adverse events.

Other participants were from the FLOW trial, which tested the effectiveness of once-weekly subcutaneous semaglutide in patients with chronic kidney disease and Type 2 diabetes mellitus; the SOUL trial, which tested the cardiovascular efficacy of oral semaglutide in people with Type 2 diabetes and established atherosclerotic cardiovascular disease and/or chronic kidney...

fulcrumsec novo data information nordisk patients

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.