UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale

UPDATE (originally covered 2026-06-13): The cloud data-extortion group FulcrumSec has publicly claimed the Novo Nordisk breach, saying it spent more than two months inside the networks and exfiltrated roughly 1.3 TB (~700,000 files) including source code, drug-pipeline data, ~11,500 pseudonymised clinical-trial records and internal AI artefacts; it demanded $25M, was refused, and is now exploring private sale of the data (Global Banking & Finance Review, 2026-06-16).

FulcrumSec is a data-theft-only (non-ransomware) group active since late 2025 with 21+ prior claimed victims; an actor profile characterises its access vectors as unpatched public-facing apps, dormant/embedded credentials and API keys, absent MFA and misconfigured cloud storage (MOXFIVE, 2026-06-10). Novo Nordisk has confirmed unauthorised access to a limited number of internal systems and pseudonymised clinical-trial data exposure but has not validated FulcrumSec's scope claims (Insurance Business Magazine, 2026-06-16). Detection focus for FulcrumSec-style actors: large outbound transfers (DLP), cloud-storage access logs, OAuth grants to unfamiliar apps, and long-dwell reuse of stale service-account credentials. Enforce MFA on all privileged cloud identities and rotate dormant credentials.