Key takeaways
- Public reporting indicates initial access came from one leaked access token, which was then used to reach far more than it ever should have.
- The alleged haul was overwhelmingly unstructured data — source code, clinical and research records, manufacturing documents, AI models — the files that pile up on file shares and repositories for years.
- A claimed dwell time of more than two months of reading and cloning at scale is exactly the pattern storage-layer behavioral detection exists to catch.
- Novo Nordisk declined to pay; the group began leaking. Backups and vaults restore nothing once data is already published.
In June 2026, an extortion group calling itself FulcrumSec claimed it had stolen roughly 1.3 terabytes of data from Novo Nordisk — the Danish pharmaceutical company behind Ozempic and Wegovy — and demanded $25 million. According to public reporting from outlets including SecurityWeek, Dark Reading, Cybernews, and BankInfoSecurity, the group offered a list of more than 700,000 files as proof of possession. Novo Nordisk confirmed that attackers gained unauthorized access to a limited number of internal systems and copied non-public data, and said that patient-related information involved was pseudonymized and could not be directly linked to individuals without additional data the attackers did not hold.
The reported path in is the part every security team should sit with. Public reporting indicates the attackers found a GitHub access token around March 2026, used it to clone repositories and harvest additional credentials, and then remained inside the company’s cloud and code infrastructure for more than two months before surfacing a ransom demand. One credential became a key to a great deal more than one repository.
One credential should not reach everything
The alleged inventory reads like a map of a pharmaceutical company’s most sensitive unstructured data: source code, proprietary data on marketed and undisclosed drug programs, clinical-trial and research records, private AI models, and documents tied to manufacturing and production technology. This is not a single database. It is the accumulated file estate of a large enterprise — the material that lives on network-attached storage, in repositories, and across shares, reachable over SMB, NFS, S3, and Web Drive.
When one leaked token can traverse that much, the failure is not only that the token leaked. It is that nothing constrained how far a single credential could reach, and nothing recognized that the credential was reaching. Attribute-based access control enforces least privilege at the file, per operation, so a compromised account is boxed into what it legitimately needs rather than free to roam a decade of programs and records.
More than two months is a long time to read files unseen
If the reported timeline holds, the attackers spent over two months reading and cloning at scale. That is not a lightning smash-and-grab; it is a sustained bulk-read campaign against production data. A session that steadily reads hundreds of thousands of files it has no prior relationship with is behaviorally unmistakable — but only if something at the storage layer is doing behavioral analysis on every operation rather than simply serving requests.
This is what Active Defense is built to do: profile normal access per user, host, and dataset, recognize when a pattern of reads departs from it, and terminate the session before the staging completes. RackTop filed for the inline Active Defense architecture on September 8, 2020 — ten months before Gartner named the Cyberstorage category in July 2021 — and it is one of four U.S. patents on the architecture. The reason the approach exists is precisely incidents that look like this one.
The data-layer lessons
First: least privilege has to be real and enforced where the files live, not just asserted at the identity provider. A token’s blast radius should be a design constraint, not an afterthought discovered during incident response.
Second: detection has to reach the data itself. Endpoint and network tools sit upstream of the read that actually matters; a credentialed session pulling files off storage looks like ordinary I/O to a NAS that is not watching behavior.
Third: when data has already left, an immutable, per-operation audit trail is the difference between a precise disclosure and a worst-case assumption. Novo Nordisk declined to pay, and the group began leaking — a reminder that no backup or vault un-publishes a file. The only moment this class of attack can be stopped is while it is happening. The architectural question it poses could be asked of nearly any enterprise: when a single credential starts reading your data at scale, does anything see it?
