Jutsu | 2026
If you work in security, June probably felt like a lot. A pharma giant, a government messaging platform, two universities, and a healthcare administrator all had breaches disclosed within the same few weeks. Different organizations, different countries, different kinds of data. But when you look at how each one actually played out, they start to tell the same story. The attacker got in, did what they came to do, and left.
Breaches happen every month. What made June different is that in every single case, the organization found out after the fact. Not during the attack. Not while data was moving. After. Sometimes days later, sometimes weeks, sometimes because the attacker themselves made an announcement. That gap – between when something happens and when anyone realizes it – is the thing worth paying attention to here, because it shows up in all five incidents without exception.
Here is what happened:
Novo Nordisk
On June 11, Novo Nordisk, the company behind Wegovy and Ozempic, had to announce two things on the same morning. The first was that the UK had approved their new oral Wegovy pill. The second was that attackers had gotten into their internal systems and taken clinical trial data without anyone noticing.
The data included patient health information, biomarkers, and lifestyle details. For the healthcare professionals involved in the trials, it was more personal: their names, phone numbers, and contact details were taken in a way that left them directly identifiable.
There was no ransomware. No systems went down. Nothing dramatic happened that would have forced anyone to respond immediately. The attackers just moved through the environment quietly, copied what they wanted, and left. The company only found out later, when the damage was already done.
France’s Tchap Messenger
A bit of context helps here. In 2025, the French Prime Minister banned government employees from using WhatsApp and Signal for work. Instead, they were told to use Tchap : a messaging app built by the French government itself, running on French servers, designed to keep official communications away from foreign platforms. Over 825,000 civil servants across every major ministry were using it by June 2026.
On June 7, an attacker got into Tchap using a single employee account that had been compromised through social engineering. Once inside, they found login credentials that someone had left sitting in a script file – a careless but common mistake – and those credentials gave them access to far more than one person’s messages.
By the time France’s cybersecurity agency detected the intrusion and shut the account down, the attacker had scraped messages from 73,000 accounts, downloaded gigabytes of documents, and accessed material that was supposed to be restricted to government use only.
One account. One forgotten password in a script. That was the opening they needed.
University of Nottingham
The University of Nottingham found out they had been breached the way nobody wants to find out: the attacker made a public announcement.
ShinyHunters, a criminal group that had already hit thousands of universities through the Canvas platform breach earlier in the year, posted Nottingham’s data on their leak site on June 9th. 455,000 students and alumni across the UK, Malaysia, and China campuses had their records exposed. Names, addresses, passport numbers, financial details, and other sensitive personal information that people cannot simply change after the fact.
ShinyHunters runs a pay-or-publish operation. They take the data, give the victim a deadline to pay, and if no payment comes, they release everything. The university notified the relevant authorities and began an investigation, but the data was already out in the world before any of that started.
DentaQuest
DentaQuest is a US company that manages dental benefits for people on Medicaid, which means the 2.6 million people caught up in their June breach are largely individuals who rely on public health programs and have fewer options when things like this go wrong.
The company disclosed that names, addresses, dates of birth, Social Security numbers, and health information had been compromised, though the exact method of the attack has not been confirmed publicly. Credit monitoring is being offered to those affected, which is the standard response. However, Social Security numbers are not something you can replace, which means the risk for those 2.6 million people does not simply go away when the investigation wraps up.
Oxford University
The Oxford situation is a little different from the others, and honestly it might be the most unsettling one of the bunch- not because of the scale, but because of what it says about where breaches can come from.
Oxford’s own systems were never touched. The breach happened at a third-party company called Group GTI, which runs a career services platform that Oxford uses for students and alumni. Group GTI got compromised, and because Oxford’s users’ data lived inside Group GTI’s environment, that data was exposed too.
Oxford had nothing to detect. No alert, no anomaly, nothing inside their own infrastructure that looked wrong: because nothing inside their own infrastructure was wrong. A vendor they trusted got breached, and their users paid the price for it.
This happens more often than it should. When you share your users’ data with an external platform, you are trusting that platform’s security as much as your own. And you usually have very little visibility into what that actually looks like from the inside.
The Thing All of These Have in Common
Put all five incidents side by side and one pattern is impossible to miss. None of these organizations were watching when it happened. Novo Nordisk found out through investigation after the fact. The French government was tipped off by their own cybersecurity agency, but only after data had already been taken. Nottingham found out publicly from the attacker. DentaQuest discovered it internally, long after access had occurred. Oxford found out through their vendor.
The attacker finished what they came to do before anyone realized they were there. In every case.
This is not a story about organizations being careless or unsophisticated. These are large, well-resourced institutions with security teams and tools in place. The problem is something more fundamental: the way attacks happen today is designed to be invisible until it is too late. Slow movements, legitimate-looking access, gradual data transfer that does not spike any single alarm. By the time the pattern becomes obvious, the window to respond has usually already closed.
How Jutsu Approaches This
At Jutsu, the detection gap, that space between when something starts and when anyone understands what they are looking at, is the specific problem we are addressing through our All-in-One Agentic Security Operations Platform.
The Jutsu platform monitors continuously across your environment and automatically enriches every alert against threat intelligence sources before a human ever reviews it. More importantly, it connects related events into sequences rather than treating each one in isolation, which means patterns that would otherwise take days to piece together start to become visible much earlier- while there is still time to act on them.
The signals existed in every incident above. The Novo Nordisk data movement had a trail. The Tchap account behavior was anomalous from the moment it started pivoting across ministries. The ShinyHunters indicators tied to Nottingham were already in public threat intelligence feeds. The information was there. What was missing was the speed to make sense of it.
That is what Jutsu is built to change. If you want to see it in practice, you can learn more and book a demo here.