FULCRUMSEC has released 1.3 TB of data stolen from Novo Nordisk after the pharmaceutical firm refused to meet a $25 million ransom demand.
The breach confirms that attackers achieved persistent access to the company’s internal networks and were able to exfiltrate large volumes of sensitive information.
Novo Nordisk disclosed the incident shortly after the leak appeared on a dark‑web forum linked to the group.
The leaked material contains pseudonymised clinical‑trial records, personal details of healthcare providers and a trove of AI research assets, including a multimodal model checkpoint, training data sets and source code.
Security analysts note that the inclusion of model checkpoints could allow threat actors to replicate or weaponise the company’s machine‑learning work.
In addition to the AI artefacts, the dump includes spreadsheets detailing trial protocols and interim results that have not yet been published.
While the data is pseudonymised, experts caution that re‑identification risks remain when combined with external data sets.
The attack was claimed by the data‑theft extortion group FulcrumSec, which said it had accessed Novo Nordisk’s internal IT systems and threatened to publish the data unless the ransom was paid.
Novo Nordisk has engaged external forensic investigators while maintaining that drug production continues without interruption.
Law‑enforcement agencies in Europe and the United States have been notified and are assisting with the investigation.
Security researchers warn that the exposure of proprietary AI models could undermine Novo Nordisk’s drug‑discovery pipeline and give competitors an unfair advantage, while the leakage of trial information raises privacy concerns for patients involved in the studies.
The incident highlights a growing trend where extortion groups target valuable intellectual property in addition to personal data.
For the pharmaceutical sector, the loss of early‑stage research can delay the launch of new therapies and erode investor confidence.
Organisations should review network segmentation to limit lateral movement, deploy data‑loss‑prevention tools that can detect large outbound transfers and enforce strict privilege‑access controls on systems holding clinical or research data.
Regular reviews of authentication logs and endpoint telemetry can help identify anomalous behaviour before data is staged for export.
Implementing multi‑factor authentication on privileged accounts and restricting the use of removable media are basic but effective steps.
Companies should also ensure that encryption keys for sensitive databases are stored separately from the data itself.
Firms are advised to test backup restoration procedures, maintain an up‑to‑date incident‑response plan that includes engagement with law‑enforcement and consider a clear policy on ransom demands before an incident occurs.
By rehearsing response scenarios and keeping communication channels open with regulators, companies can reduce the operational fallout of a breach.
Transparent communication with affected patients and healthcare providers, where legally permissible, helps preserve trust during the aftermath.