FulcrumSec claims it stole 1.3TB from Novo Nordisk, demanded $25M on Monday

On Monday, a cyber-extortion group calling itself FulcrumSec claimed it had stolen roughly 1.3 terabytes of data from Novo Nordisk, the Danish maker of weight-loss drugs Wegovy and Ozempic, and demanded $25 million to keep the information private. Novo Nordisk did not pay.

The immediate question for executives is simple but high-stakes: once an extortion deadline passes without payment, does the attacker leak data, auction it, or try a second round to force a rethink. According to the group’s own account, it is now looking for what to do next after the company refused.

That refusal is the kind of decision that can look cold in a headline and chaotic in real life. When a company receives a demand tied to alleged stolen data, it has to balance multiple risks at once: the possibility that sensitive information is already out of the attacker’s hands, the operational risk of shutting things down or negotiating under pressure, and the reputational risk of appearing to reward criminal behavior. Novo Nordisk’s choice not to pay signals it judged the cost of payment higher than the potential upside, or that it could pursue alternatives that do not depend on compliance.

The stakes are especially sharp in pharma and biotech because data is not just “files.” It can represent intellectual property, clinical know-how, manufacturing details, regulatory artifacts, and internal strategies. Wegovy and Ozempic are not niche products; they sit in a global public-health conversation where information asymmetry is valuable. Even if the group only claims a theft, the threat itself forces a scramble: security teams must treat the possibility as real while legal, compliance, and executives coordinate the response.

Cyber extortion around healthcare and life sciences has a second-order effect that boards often underestimate: it turns incident response into enterprise governance. A data claim can trigger internal policy reviews, vendor assessments, and regulatory notifications processes that move at their own pace. It can also put pressure on third parties. Many pharma companies rely on complex supply chains and specialized vendors for IT operations, data storage, analytics, and clinical systems. If the attack touches systems connected to those ecosystems, the fallout is broader than one company alone.

Then there is the compliance angle. Even when companies do not name specific frameworks in public, the pattern of how incidents are handled is increasingly influenced by data protection and breach notification expectations. Executives tend to think about “can we contain it,” but regulators and counterparties tend to think about “what happened, to whom it matters, and when.” A group’s public statement, especially one tied to a dollar demand, can raise the scrutiny. It also increases the likelihood that other internal stakeholders, such as compliance leadership and risk committees, ask for evidence faster and more formally.

FulcrumSec’s claim centers on two numbers that matter to decision-makers: roughly 1.3 terabytes of data stolen and a $25 million demand to keep it private. Large volumes can imply multiple datasets, overlapping categories of sensitive material, or backups and archives rather than a single narrow grab. But the demand amount, and the fact that Novo Nordisk did not pay, also suggests a strategic dynamic familiar to extortion campaigns. Attackers often rely on pressure, urgency, and the fear of worst-case outcomes. If the company holds firm, the attacker has to pivot to maintain leverage, which is why the group says it is now looking for what comes next.

For other executives at pharma companies and beyond, the lesson is not about whether you should or should not pay in some universal sense. It is about what your organization needs ready in the hours after refusal. That includes a plan for validating the scope of claimed theft, mapping what systems and datasets could plausibly correspond to the attacker’s assertions, coordinating communications without speculating, and aligning legal and security teams under board-level oversight. The moment after “no payment” is its own phase of the incident, and it is where reputations, regulatory posture, and customer confidence can either stabilize or deteriorate.

Because FulcrumSec is still reportedly “looking for” what happens next, the operational reality is that Novo Nordisk may not be done with this story even though payment did not happen. For boards, CIOs, and CISO teams, the key is to assume that an extortion campaign can continue after a company says no, and to be ready for the next move with the same seriousness as the first demand.