Danish pharmaceutical maker Novo Nordisk disclosed on 11 June that an external party gained unauthorised access to a limited number of internal IT systems and copied non-public data, including clinical-trial participant records and healthcare-professional (HCP) contact information (Novo Nordisk, 2026-06-11). The clinical-trial data is described as pseudonymised — random alphanumeric participant IDs plus sex, year of birth, biomarkers, immunogenicity and health data, and lifestyle factors — and not directly linked to names. The HCP data, however, is directly identifying: names, registration numbers, email addresses, phone numbers, WhatsApp contact details and office locations (BleepingComputer, 2026-06-12). The initial-access vector is not disclosed and no threat actor has been named; affected systems were taken offline and authorities engaged. As an EU-registered controller processing EU/EEA trial data, the breach engages GDPR Article 33 and Danish Datatilsynet notification, and Swiss equivalents under the nDSG for domestic trials.
Defender takeaway: The HCP record set (name + phone + WhatsApp for named clinical investigators) is a complete spear-phishing targeting package — brief clinical-research and pharma-partner staff on elevated social-engineering risk, and watch for WhatsApp/SMS pretexting against named researchers, since no malware IOCs are available to anchor a hunt.