Novo Nordisk has disclosed an information technology security incident after unauthorized access to company systems, and a cyber extortion group has publicly claimed responsibility for the attack while alleging that it removed more than one terabyte of company data. A separate individual or group has also claimed to have compromised certain Novo Nordisk systems during June 2026. Novo Nordisk has confirmed the disclosed incident associated with the first claim but has not confirmed the second reported intrusion.
Company Disclosure
Novo Nordisk announced an information technology security incident on June 11, 2026. The company stated that it identified unauthorized activity affecting its information technology environment and initiated its incident response procedures. The company also reported that relevant authorities were notified and that containment and investigation activities were underway.
There was no mention about the impact of the incident on patient care or manufacturing operations. There was also no confirmed report about the exposure of protected health information (PHI).
Public Claims by FulcrumSec
A cyber extortion group identified as FulcrumSec claimed responsibility for the attack disclosed by Novo Nordisk. The group stated that it has operated since at least September 2025 and focuses on rapid theft of information from cloud-hosted environments before demanding payment to prevent publication or sale of the data.
FulcrumSec alleged that approximately 1.3 terabytes of information were copied from Novo Nordisk over a period of several weeks. The group also stated that it posted sample files on its dark web leak site after Novo Nordisk declined to meet a ransom demand reportedly valued at $25 million.
The following stolen information are potentially included: clinical trial material, intellectual property, artificial intelligence models used for drug discovery, source code repositories, proprietary drug compound information, employee records, datasets, and information associated with undisclosed drug programs. FulcrumSec also claimed possession of pseudonymized clinical trial patient data and manufacturing information related to one of the company’s drugs.
FulcrumSec reported that only part of the claimed dataset has been published. The group stated that approximately 264 gigabytes had been made available for download while approximately 1.05 terabytes remained withheld.
Claimed Method of Access
FulcrumSec described an alleged intrusion path involving exposed credentials associated with client-side JavaScript deployed on two separate Novo Nordisk subdomains. The group also claimed that Azure container registry credentials and a GitHub personal access token enabled access to repositories containing application credentials, database credentials, application programming interface tokens, and service account passwords.
FulcrumSec also claimed that the company’s security team identified unauthorized activity within GitHub approximately two weeks after the initial compromise and within Azure after approximately three weeks. Novo Nordisk has not confirmed these technical allegations.
Separate June 2026 Intrusion Claim
An individual or group using the name TheUSERS007 also claimed responsibility for an attack. The individual stated that Novo Nordisk systems were accessed between June 5 and June 7, 2026, after the intrusion claimed by FulcrumSec.
TheUSERS007 reportedly demanded a $50 million ransom and asserted that access was obtained through a self-learning artificial intelligence tool identified as venomware. FulcrumSec referenced this separate claim on its leak site and suggested that it could represent a legitimate incident.
Novo Nordisk has not confirmed this separate reported intrusion. The company’s disclosed information technology security incident relates to the attack claimed by FulcrumSec rather than the second reported event.
Compliance Considerations
There’s an active investigation into the disclosed information technology security incident and separate public claims that remain unconfirmed by Novo Nordisk. Organizations reviewing reports of cyber incidents should distinguish between information confirmed by the affected organization and statements made by threat actors.