The Norwegian Data Protection Agency has fined a US pharmaceutical company NOK 2.5 million following a data breach.

The company became aware of a data breach that affected all EU-based employees, including one employee in Norway. However, the breach was only reported to the Norwegian Data Protection Agency after 67 days.

The data breach had included almost all details about the employee’s employment terms and conditions.