Back to Intelligence

Novo Nordisk Breach: Defending Against PII Exfiltration in Pharma IT

SA
Security Arsenal Team
June 16, 2026
5 min read

Introduction

In 2026, the pharmaceutical sector remains a top-tier target for cybercriminals and advanced persistent threats (APTs). The recent disclosure by Novo Nordisk—manufacturer of critical weight-loss and diabetes medications like Ozempic and Wegovy—confirms that threat actors successfully breached their IT systems and accessed personal data.

While the specific ingress vector is still being assessed, the implication is clear: attackers successfully traversed the network to locate and access sensitive Personally Identifiable Information (PII). For defenders, this is an immediate call to audit data access controls, review egress patterns, and harden monitoring around data stores. The targeting of Novo Nordisk suggests a strategic interest in either intellectual property (IP) or the high-value PII associated with patient populations.

Technical Analysis

Affected Systems: Corporate IT systems and data repositories housing personal information.

Threat Overview:

  • Attack Vector: The breach indicates a capability to move laterally within the corporate environment. Based on typical TTPs seen in healthcare targeting for 2026, this likely involves initial access via phishing, credential theft, or exploitation of external-facing services, followed by internal reconnaissance to locate databases or file shares containing PII.
  • Data Access: The confirmation of "personal data" access suggests attackers successfully queried databases, copied flat files (CSVs, XLSX), or exported directory listings.
  • Exploitation Status: Confirmed active exploitation. The attackers have already achieved their objective of data access.

Defensive Perspective: From a defensive standpoint, the critical failure points are usually:

  1. Over-privileged accounts: Service accounts or end-users with access to broad data sets.
  2. Lack of Egress Monitoring: Failure to detect large data transfers or unusual connections to external endpoints.
  3. Poor Data Segmentation: Sensitive PII stored in general-purpose file shares rather than secured, isolated data lakes.

Detection & Response

SIGMA Rules

The following Sigma rules are designed to detect the common post-exploitation behaviors associated with data theft: bulk export via PowerShell and the use of compression utilities for staging.

YAML
---
title: Potential Data Exfiltration via PowerShell Export Cmdlets
id: 8f4c2a1b-3d6e-4f5a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects the use of PowerShell to export data to CSV or file formats, a common technique for PII exfiltration.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Export-Csv'
      - 'ConvertTo-Csv'
      - 'Out-File'
      - 'Set-Content'
  condition: selection
falsepositives:
  - Administrative scripts
  - Legitimate reporting automation
level: medium
---
title: Mass Data Compression via Archive Utilities
id: 9e5d3b2c-4e7f-5a6b-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects the execution of compression utilities like 7-Zip or WinRAR, often used to bundle PII for exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1560
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\zip.exe'
      - '\tar.exe'
  condition: selection
falsepositives:
  - Legitimate user backups
  - Software installation
level: low

KQL (Microsoft Sentinel / Defender)

This query hunts for PowerShell processes utilizing export verbs, correlating them with the device and account context to identify potential bulk data theft.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath endswith "\\powershell.exe"
| where ProcessCommandLine has_any ("Export-Csv", "Out-File", "Tee-Object", "Set-Content")
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, AccountName, ProcessCommandLine
| where count_ > 5
| order by count_ desc

Velociraptor VQL

This artifact hunts for recently created archive files in user profiles, which may indicate data staging for exfiltration.

VQL — Velociraptor
-- Hunt for recent compression artifacts in user directories
SELECT FullPath, Size, Mtime, Mode, User
FROM glob(globs='C:/Users/*/*.zip', accessor='file')
WHERE Mtime > now() - duration("7d")

Remediation Script (PowerShell)

Use this script to audit file systems for folders with overly permissive "Everyone" or "Authenticated Users" access, which are common targets for PII scraping.

PowerShell
# Audit for weak permissions on sensitive directories
$SensitivePaths = @("C:\Data", "C:\Shares", "D:\Databases") # Customize as needed

foreach ($Path in $SensitivePaths) {
    if (Test-Path $Path) {
        Write-Host "Checking permissions for: $Path"
        $Acl = Get-Acl -Path $Path
        foreach ($Access in $Acl.Access) {
            if ($Access.IdentityReference.Value -match "Everyone|Authenticated Users|BUILTIN\Users") {
                if ($Access.FileSystemRights -notmatch "Read") {
                    Write-Host "[!] WARNING: Excessive Write/Modify permission found for $($Access.IdentityReference.Value) on $Path" -ForegroundColor Red
                }
            }
        }
    }
}

Remediation

  1. Credential Reset: Force a password reset for all privileged accounts and any users with access to the compromised IT systems. Enforce MFA if not already active.
  2. Access Control Review: Immediately review Access Control Lists (ACLs) on file shares and databases containing PII. Remove "Everyone" and "Authenticated Users" groups; enforce least privilege.
  3. Network Segmentation: Ensure that critical database servers are not directly accessible from general user workstations. Require jump hosts or bastion stations for administrative access.
  4. Data Loss Prevention (DLP): Implement or tighten DLP rules to alert on large transfers of sensitive file types (PDF, DOCX, CSV) outside the corporate boundary.
  5. Audit Logs: Collect and review Windows Security Event logs (Event ID 4663 for object access) around the confirmed breach timeframe to identify the specific data accessed.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirnovo-nordiskhealthcaredata-breach

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action