FulcrumSec Leaks 1.3 TB of Clinical Trial and AI Research Data from Novo Nordisk
What Happened — On June 15 2026 the extortion group FulcrumSec began publishing files it claims to have stolen from Novo Nordisk, including 1.3 TB of clinical‑trial records and proprietary AI‑research assets. The company confirmed unauthorized access to a limited set of internal systems and exposure of pseudonymized patient data, while also acknowledging that provider‑level contact information may have been taken.
Why It Matters for Compliance & Audit Readiness
- The breach illustrates a classic privacy‑impact scenario that SOC 2 CC‑5 (Confidentiality) and GDPR/CCPA obligations are designed to mitigate and document.
- Continuous evidence of data‑handling controls, consent management, and DSAR readiness becomes critical to demonstrate due diligence during an audit.
- Verisq’s CookiePLUS privacy suite provides the automated consent capture and data‑subject request workflow needed to turn this incident into a defensible audit artifact.
Who Is Affected – Pharmaceutical manufacturers, clinical‑trial sponsors, and the healthcare providers that support them.
Recommended Actions –
- Map the exposed data elements to SOC 2 CC‑5 and GDPR/CCPA controls; verify that pseudonymization and access‑restriction policies are enforced.
- Collect and preserve logs, access records, and data‑flow diagrams as audit evidence of the breach response.
- Deploy a privacy‑management solution (e.g., CookiePLUS) to automate consent records and DSAR handling for any future data‑subject inquiries.
Technical Notes – The attackers claim foothold since March 2026, likely via stolen credentials; leaked assets include patient IDs, biomarkers, lifestyle factors, and a 16.7 GB multimodal AI model, training datasets, source code, HPC configuration files, and developer identities. Source: SecurityAffairs