Around 2015 I sat through a series of exec-level meetings where the CISO presented. The deck was strong: spend by category, certifications achieved, policies updated, audits passed, the layered-defense diagram everyone has seen with the castle walls and crown jewels in the middle. She knew her stuff. At some point someone asked the obvious question: "So if we spend all this, are we safe?" She didn't oversell it. She said, "Safer." Then she moved to the next slide.
I've thought about that "safer" often because, since then, the spending she was defending has roughly doubled across the industry, and the breaches have gotten bigger, not smaller. We keep building taller walls around more valuable things. And then someone leaves a key under the mat.
Breach at Novo Nordisk
That's the Novo Nordisk story, more or less.
Novo Nordisk disclosed on June 11, 2026 that someone had been inside a limited number of their internal systems. A group calling itself FulcrumSec took credit, demanded $25 million, got told no, and started leaking. The company confirmed exposure of pseudonymized data for about 11,500 clinical-trial patients and some healthcare-professional contacts, and rated the patient risk as low. On the evidence so far, that looks defensible.
FulcrumSec claims something of a different magnitude entirely: 1.3 terabytes across more than 700,000 files, source code, data on marketed and unreleased drugs, and a drug-discovery database, as well as (the part that made everyone sit up) 30 trained internal AI models and nearly half a terabyte of proprietary microscopy images.
That bigger list is the attacker's claim, not the company's confirmation, and threat actors tend to inflate. But because of how FulcrumSec got in, Novo Nordisk can't be certain it isn't true.
The Key Under the Mat
Here's how they got in, per the reporting: Back in March, FulcrumSec found a high-privilege GitHub access token sitting in client-side JavaScript on some obscure subdomain. "Client-side" means anyone with a browser and curiosity could read it. They used that one token to clone private repositories, harvest more credentials, and spend the next two months wandering the network.
That's all it took. One key, essentially left under the mat, at a company that spends real money on security.
It's easy to dunk on Novo Nordisk's engineers. I won't, because I've seen this happen at good shops run by smart people, and so have you. A token gets hardcoded during a late-night fix to unblock a deployment. Someone intends to rotate it. The sprint ends, the quarter ends, the person changes teams. The token sits there for a year. This is not exotic. This is a Tuesday.
"Perfect prevention is not possible in a world of advanced, AI-driven threats." That's a direct quote from a June 29, 2026 Gartner LinkedIn post. If it's true (and we know it is), let's change the way we think about data protection. If we can't keep attackers out, let's make getting in not worth the effort.
The Immobilizer Lesson
There's a useful parallel to that idea in the stolen car market. For decades the answer was louder alarms. But the theft rate barely budged, because an alarm just tells you that the thing you feared is already happening. What broke the market was the immobilizer: a cryptographic handshake between the key and the engine, mandated in the European Union in the late 90s. A thief could still break into a car; but they couldn't make the car go. US and UK vehicle theft fell more than 80% in the decades after, not because cars got harder to break into but because the cars were useless without their keys. No more joy rides.
Most organizations are still stuck in the alarm era. They spend heavily on keeping attackers out, but almost nothing on the real question that decides the outcome: What happens when they get in anyway? If the answer is, "They stole 30 trained AI models they can read," the spend was kabuki. If it's, "They get a pile of unreadable bytes," then the key under the mat is an embarrassment instead of a catastrophe. And that makes for boring news.
No More Joy Rides
The companies working on making stolen data inert at the storage layer—so that exfiltration exposes garbage rather than secrets—are early. But Gartner is mapping the space now, which tells us the direction is right. The point isn't to stop being breached. You will be breached. The point is to make being breached boring. Make it so that attackers who are successful in breaking in walk away with nothing usable. No more joy rides.
Until data protection regulations catch up and a data immobilizer is mandated for every organization that stores sensitive data, the breach economy will continue to grow. We're not there yet. But breaches like the one at Novo Nordisk are what it costs to keep pretending the wall is the whole job.
Join us in making breaches boring.
HyperSphere protects data before it ever reaches storage. So when storage is breached, attackers walk away with data they can't use.
