THE article discusses a significant breach at Novo Nordisk, highlighted by the exploitation of a GitHub access token that led to unauthorized access to sensitive data. The attackers accessed essential information, including personal data from clinical trials and internal company documents, accumulating over 1.3TB of stolen data. Novo Nordisk indicated a breach of its internal IT systems and potential risks for targeted phishing attempts, while the attacking group, FulcrumSec, suggested a much broader breach.
Experts argue that the incident underscores a critical misunderstanding within organizations by treating secrets management primarily as a tooling issue, rather than as an identity problem that requires rigorous access control and monitoring of both human and machine identities in development environments. Recommended mitigation strategies include centralizing secrets management, enforcing least privilege access, and maintaining an inventory of non-human identities.