site-logo
site-logo
site-logo
Shieldworkz-reports

Report

Novo Nordisk Cyber Incident

No signup required!

Inside the Novo Nordisk Breach: Confirmed Facts vs. Threat-Actor Claims

On 11 June 2026, Novo Nordisk confirmed that attackers had accessed a limited number of internal IT systems and copied non-public data externally, including pseudonymized clinical trial records and healthcare-professional contact details. Days later, an extortion group calling itself FulcrumSec claimed a far larger haul on its leak site, roughly 1.3 terabytes across more than 700,000 files, spanning source code, drug-compound data, and AI/ML models used in drug discovery.


Through all of it, one fact stood apart: manufacturing never stopped. The Kalundborg facility, the largest insulin production site in the world, kept running. Distribution kept moving. That’s the part of this incident every OT-reliant organization should study closely, because it shows what a well-segmented IT/OT boundary can deliver under real pressure.


Shieldworkz built a complete incident analysis of the Novo Nordisk breach that does what most breach coverage skips: it separates what’s confirmed from what’s merely claimed, at every stage, and explains what both mean if you’re responsible for a plant, a grid, a pipeline, or any environment where downtime isn’t an option.

Why This Report Matters

Most breach coverage stops at “was the company hacked?” That’s not the question that matters to anyone accountable for a plant, a grid, or a production line. The real question is narrower: did anything in this incident touch the systems, data, or credentials connected to physical operations and if it didn’t this time, what would it take for it to? Novo Nordisk’s confirmed disclosures answer part of that. The threat actors’ claims fill in the rest, and the gap between the two is exactly where the real lessons live.

The confirmed exposure is already serious. Novo Nordisk has confirmed unauthorized access and confirmed that pseudonymized clinical trial data and identifiable healthcare-professional records were copied externally, enough on its own to trigger regulatory notification and put patient and provider trust on the line.

The claimed exposure is an order of magnitude bigger ,and unverified. FulcrumSec claims roughly 1.3 terabytes across 700,000+ files, including source code, compound records, and AI/ML models. A second, uncorroborated actor has claimed a separate intrusion with its own ransom demand. Neither claim has been forensically confirmed.

One line in the attackers’ claims deserves OT attention. FulcrumSec has referenced data related to “operational technology and software used to interact with sensors and equipment.” It’s unconfirmed and doesn’t describe live control-system access, but it flags a structural risk: engineering drawings and sensor interface code routinely sit inside ordinary corporate IT, simply because that’s where engineers save their work.

Encryption-free extortion is the model here, not the exception. No file encryption or destructive payload has been confirmed or even claimed by either actor. This is data theft and public pressure, a different threat model than most incident response plans are built around.

The named actors and mapped techniques give defenders something to act on. The threat actors are identified, their claimed TTPs are mapped to MITRE ATT&CK, and their targets are documented, useful for any sector running clinical R&D, proprietary process data, or AI-driven engineering pipelines.

Why You Should Download This Report

This isn’t a recycled press release with a threat-actor logo pasted on top. It earns the read for specific reasons:

It traces the claimed initial access point: cloud and source-control credentials allegedly embedded in client-side JavaScript on forgotten staging subdomains, a blind spot most secret-scanning tools miss.

It maps the claimed attack chain to MITRE ATT&CK: giving detection teams a testable hypothesis, with every step honestly labeled claimed, not confirmed.

It separates confirmed fact from threat-actor claim at every stage: so nothing gets reported to a board or regulator as settled when it isn’t.

It dedicates a full section to the one OT-adjacent claim: in this incident, walking through why it deserves scrutiny rather than panic or dismissal.

It closes with a sequenced defensive roadmap: from the next 30 days out to 9-plus months, covering secrets hygiene, access management, and long-term IT/OT governance.

Key Takeaways from the Report

This was a confirmed data-confidentiality breach, not a confirmed ransomware or OT/ICS incident. Novo Nordisk confirmed exposure of clinical trial and HCP data, and stated manufacturing and distribution were unaffected.

The claimed scope is significantly broader than the confirmed scope. Source code, compound data, and AI models feature heavily in the claims but remain unverified.

Data-theft extortion without encryption is now a dominant playbook. Response plans built solely around “systems get encrypted, restore from backup” don’t cover this threat model.

Secrets in client-side code on forgotten subdomains are a genuine blind spot. Production domains get monitored; the staging environment spun up eighteen months ago typically doesn’t.

AI and ML assets are now crown-jewel targets. Model weights, training data, and pipeline infrastructure are being treated as equal to or more valuable than, clinical and compound data.

Operational continuity and data confidentiality are not the same risk. Novo Nordisk had a serious confidentiality breach and an operationally clean incident at the same time. Treating “production never stopped” as proof “we’re fine” is a mistake your risk register shouldn’t make.

How Shieldworkz Supports Your OT Cyber Resilience Journey

Reading a sharp incident report is useful. Knowing whether the same gap exists in your own environment is what actually changes your risk posture ,and that’s where Shieldworkz comes in.

Shieldworkz protects the industrial systems that keep plants, grids, and critical infrastructure running. Our OThello Assess methodology delivers full OT security assessments in under 24 hours, so you get a real answer, not an assumption ,about whether your IT/OT boundary is holding the way you think it is.

Beyond assessments, our team delivers NIS2 and IEC 62443 compliance programs, fully staffed OT Security Operations Centers, sector-tuned threat intelligence advisories, and regulatory readiness engagements across NERC CIP, SOCI, Saudi OTCC/ECC, and the Singapore Cybersecurity Act, backed by one of the largest OT and IoT threat intelligence operations in the world.

Know Your Gap Between Confirmed and Claimed, Get the Full Analysis

The Shieldworkz Novo Nordisk Incident Analysis is available for download at no cost to industrial operators and security decision-makers, covering the confirmed timeline, the claimed attack chain, the ATT&CK mapping, the full business-impact assessment, and a defensive roadmap sequenced from the next 30 days out to the next year.

Download the Report (no signup required). You will also have the option to book a no-obligation 30-minute consultation with a Shieldworkz OT security specialist, where we can walk through the report’s findings as they apply to your specific sector, infrastructure, and current security posture.

Bring your own questions to the conversation: Where does your OT-relevant data actually live? Who could reach it from an ordinary IT compromise? Would your segmentation hold the way Novo Nordisk’s apparently did?

To understand how the confirmed Novo Nordisk breach & unverified OT-adjacent claims could translate to your environment, book a threat intelligence briefing with our experts today.