Novo Nordisk rejects $25M after 1.3 TB data theft

On June 11, 2026, Novo Nordisk, the Danish pharma giant (Ozempic/Wegovy), reported unauthorized access to “a limited number of internal systems,” with exposure of clinical trial data. On June 16, 2026, the extortion group FulcrumSec claimed over two months of dwell time, up to 1.3 TB exfiltrated, and a $25M demand — which the company rejected. The attackers now say they are “exploring private sales” of the data. No production outage or patient safety impact has been confirmed so far.

Key facts

• When/who: incident detected by Novo Nordisk on June 11, 2026; FulcrumSec claim on June 16, 2026.
• What/how much: alleged exfiltration >1 TB (up to 1.3 TB); $25M extortion attempt (~€21.5M).
• Declared impact: limited internal systems, clinical trials data; no reported production disruption.

Legal framework

Under the GDPR, GDPR Articles 32, 33 and 34 mandate state‑of‑the‑art security, notification to the supervisory authority within 72 hours, and data subject communication where high risk exists. For regulated cybersecurity, essential/important entities must meet risk management measures and notification timelines under NIS 2 obligations in Luxembourg, including when incidents affect the supply chain or subsidiaries operating in the country.

What this means for Luxembourg organizations

• Data theft with extortion is becoming standard: pressure comes from selective leaks, private sales, and reputational harm, even without encryption or plant shutdowns.
• Regulatory clocks start at awareness: meeting 24/72 h/1‑month windows requires rapid detection, triage, and coordinated notifications with providers.
• R&D and trials traceability is critical: clinical databases, regulatory filings, protocols, and patient/panel data must be inventoried and segmented.

Actions to take this week

• Shrink initial access: phishing‑resistant MFA (FIDO2/WebAuthn) for VPN and SaaS, block persistent tokens, rotate secrets, disable dormant accounts, review OAuth apps, and clean up “dormant” shares/tokens in R&D.
• Harden the supply chain: require exportable logs, a documented NIS 2 plan, and <12 h contractual alerting; test third‑party access revocation (SSO, API, VPN) per project.
• Detection and response: leverage a managed SOC for detection and response (MTTD/MTTR, EDR/XDR, alert correlation) and pre‑approved CNPD/ILR notification playbooks.
• Communication and influence: prepare a no‑pay stance, messages for patients/partners, and dark web monitoring to track leaks and private sales.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.