Hacking Group Claims Major Novo Nordisk Breach And $25 Million Extortion Attempt
A cyber extortion group has claimed responsibility for a major breach of pharmaceutical giant Novo Nordisk, alleging it stole more than a terabyte of data and attempted to extort the company for $25 million.
The group, known as FulcrumSec, says it spent more than two months inside Novo Nordisk’s networks before extracting a large volume of internal information. The alleged haul includes company source code, proprietary drug information, clinical trial data, employee records, doctor and patient information, details relating to processing facilities and internal artificial intelligence model data.
The claims follow Novo Nordisk’s confirmation on 11 June that it had identified an IT security incident involving unauthorised access to a limited number of internal systems. The Danish pharmaceutical company, best known for diabetes and weight loss treatments including Ozempic and Wegovy, said certain non-public data had been copied externally without authorisation.
Novo Nordisk has said its investigation remains ongoing and that it is working with external cybersecurity experts and relevant authorities. The company has also said its core business operations remain unaffected, although some internal IT systems were temporarily taken offline as part of its response.
FulcrumSec claims it demanded $25 million from Novo Nordisk before moving to explore private sales of parts of the allegedly stolen data. The group has indicated that some of the information may be offered to buyers, particularly data connected to drug development and other internal corporate material.
The authenticity of the full dataset has not been independently verified. However, the incident has drawn significant attention because of the sensitivity of the information allegedly involved. Pharmaceutical companies hold vast amounts of high-value data, from clinical research and intellectual property to manufacturing systems and patient-related information.
In its own incident update, Novo Nordisk said the exposed patient data related to some clinical trials and was pseudonymised. The company said the information was not directly linked to patients by name or other direct identifiers. Potential categories of affected data include patient IDs, sex, year of birth, biomarkers, health or immunogenicity information and lifestyle factors.
The company has said it does not consider the incident to pose an immediate risk to patients, but has advised affected individuals to remain vigilant and report anything unusual that they believe could be linked to the breach.
The alleged involvement of internal AI model information adds another layer of concern. As pharmaceutical companies increasingly use artificial intelligence for research, discovery, modelling and operational efficiency, those systems and the data behind them are becoming attractive targets for cybercriminals. Stolen model data, training material or internal tooling could expose commercially sensitive processes or assist competitors and malicious actors.
The case also highlights the growing risk of cyber extortion attacks against the healthcare and pharmaceutical sectors. Unlike traditional ransomware, where attackers encrypt systems and demand payment to restore access, many modern extortion groups focus on stealing sensitive data and threatening to publish or sell it. This can place enormous pressure on organisations even when core systems remain operational.
For drugmakers, the stakes are particularly high. Proprietary research, trial results, manufacturing information and regulatory material can represent years of investment and billions of dollars in commercial value. A breach involving this type of data can create legal, financial, reputational and competitive risks long after the initial intrusion is contained.
The healthcare sector is also a frequent target because of the value of personal and clinical data. Even when patient data is pseudonymised, organisations must still consider whether it could be combined with other information to identify individuals or expose sensitive health details.
FulcrumSec is a relatively new name in the cyber extortion landscape, having reportedly emerged in late 2025. Its claim against Novo Nordisk suggests that newer cybercriminal groups are increasingly targeting high-value corporate data rather than relying solely on disruptive ransomware attacks.
The incident is likely to renew questions about how pharmaceutical companies protect their research environments, clinical trial systems and internal AI infrastructure. As drug development becomes more data-driven, cybersecurity is no longer just an IT issue. It is now a critical part of protecting intellectual property, patient trust and business continuity.
Novo Nordisk’s investigation remains ongoing, and the full impact of the incident is still unclear. What is already clear is that cybercriminals see pharmaceutical data as a premium target, and that even major global companies face escalating pressure from increasingly ambitious extortion groups.
As cyber threats become more sophisticated, improving cybersecurity knowledge is one of the most practical steps individuals and organisations can take. Build your foundational understanding of online risks, strengthen your digital awareness and learn how to recognise common attack methods with The Hack Academy’s online training programme. Better cybersecurity starts with better knowledge.