
Stryker Corporation
US medtech firm; Handala wiper destroyed 200,000 devices via single Intune credential, March 2026.
Last refreshed: 8 May 2026 · Appears in 3 active topics
Is an SEC-reportable attack possible with no malware, just one stolen cloud login?
Timeline for Stryker Corporation
Ivanti EPMM logs fourth KEV zero-day since 2023
Cybersecurity: Threats and DefencesMentioned in: West Pharma SEC 8-K on ransomware halt
Cybersecurity: Threats and DefencesFiled SEC 8-K/A disclosing the March MDM wipe as a material cybersecurity incident with Q1 earnings impact
Cybersecurity: Threats and Defences: Stryker SEC filing marks cyber milestoneMentioned in: Israel kills Larijani, last negotiator
Iran Conflict 2026Handala wipes 200,000 devices at Stryker
Cybersecurity: Threats and DefencesWhat happened to Stryker in the cyber attack?
Did the Stryker hack affect NHS hospitals?
How did Stryker disclose the cyber attack to the SEC?
Background
Stryker Corporation is a US medical technology manufacturer headquartered in Kalamazoo, Michigan, producing surgical equipment, orthopaedics, and medical devices for hospitals and healthcare systems worldwide.
Stryker became the most significant identity-plane attack victim of 2026 when Iranian-linked Handala Hack wiped between 80,000 and 200,000 devices across 79 countries on 11 March 2026 using a single stolen Microsoft Intune admin credential. No malware was deployed. Per Stryker's SEC 8-K/A filed on 10 April, the incident was material and would affect Q1 2026 earnings, though full-year guidance was maintained.
NHS Supply Chain, the NHS England centralised procurement body, issued a disruption alert on 18 March warning UK hospitals that Stryker ordering, manufacturing, and invoicing systems were degraded, with most product lines not projected to return to normal until 10 April. UK trusts running Stryker surgical equipment faced procedure delays and paper-based inventory workarounds for three weeks. The attack was described by Krebs on Security as credential-only, with the attackers operating the MDM console identically to the legitimate IT team.
The incident established two precedents that now define enterprise MDM security discourse. First, an SEC materiality precedent: a credential-only attack with no malware and no data encryption qualifies as a material cybersecurity event under SEC 8-K rules — Stryker's 8-K/A is the first MDM console wipe to trigger SEC disclosure. Second, the fourth Ivanti EPMM KEV (CVE-2026-6973) added in May 2026 confirms that MDM control-plane vulnerabilities remain the highest-priority attack surface for threat actors. Stryker's case is now the reference scenario for CISO conversations about MDM admin Conditional Access, break-glass account design, and session-binding controls.