What happened, in short:
- Stryker — Iran-linked attackers got into one admin account and wiped 200,000+ devices across 79 countries through the company’s own Microsoft Intune console. No malware involved. Revenue hit confirmed in an SEC filing. CISA put out a national advisory after.
- European Commission — Breached twice in under two months. Completely different attack surfaces each time. Staff data exposed in February. 350GB allegedly taken in March. ShinyHunters took credit for the second one.
- PayPal — A code error left customer Social Security numbers, dates of birth, and business details sitting in the open for 165 days before detection. Some accounts had fraudulent transactions as a result.
None of these involved sophisticated zero-day exploits. Every one of them had warning signals that existed well before actual damage occurred. Same question applies across all three: what would catching the problem earlier have actually required?
Stryker: One Compromised Admin Account Wiped 200,000 Devices in Three Hours
What Happened
March 11, 2026. Roughly 3:30 AM Eastern. Employees at Stryker — Fortune 500 medtech company, $25.1 billion in 2025 revenue, 56,000 people on payroll — started their mornings to blank screens. Laptops wiped clean. Phones reset to factory settings.
Where login pages should have been, the logo of Handala. Iranian hacktivist group. Tied to Iran’s Ministry of Intelligence and Security.
No malware was deployed. No exotic zero-day was burned.
They had Global Administrator access to Stryker’s Microsoft environment. From there they used Microsoft Intune — Stryker’s own device management system — to push remote wipe commands across 79 countries. Between roughly 5:00 and 8:00 AM, it was done.
Intune exists so IT departments can manage, update, and wipe corporate devices remotely. That is literally its purpose. Handala used the tool for exactly what it was designed to do. Just at a scale and intent nobody at Stryker had planned for.
Stryker’s SEC 8-K filing confirmed the hit — order processing disrupted, manufacturing slowed, shipping delayed. Medical devices kept working, but commercial infrastructure went offline across the board. Financial damage was material enough to affect Q1 2026 earnings. Full disclosure expected in the April 30 earnings report.
FBI seized Handala’s web presence on March 19. CISA followed with an advisory telling all organisations to enforce multi-administrator approval before mass device actions can execute through Intune. Palo Alto Networks’ Unit 42 confirmed Handala operates as cover for Iran’s MOIS — hacktivist branding layered over state-sponsored operations for deniability.
What Risk Signals Were Already Visible
This part is hard to read in hindsight.
Check Point Research had been watching Handala’s activity in the months leading up to March 11. They documented hundreds of login attempts and brute-force attacks targeting VPN infrastructure connected to Handala’s operations. The traffic originated from commercial VPN nodes. After Iran’s January 2026 internet shutdown, some of it shifted to Starlink IP ranges — an attempt to blend into legitimate satellite traffic.
Abnormal login patterns. Brute-force attempts from unusual IP ranges. Authentication sequences that were geographically impossible. These are exactly the indicators that external threat monitoring and identity exposure analysis exist to catch.
There’s more. Stryker had already disclosed a separate breach back in December 2024 — unauthorised access that ran from May to June 2024, with PII and medical records pulled out. Whether the attackers kept persistent access from that earlier incident into the March 2026 wipe is still being investigated. But a prior breach at the same company should have raised the threshold for scrutiny on any abnormal admin activity going forward.
What connected monitoring would have surfaced:
Identity exposure — Dark web surveillance and criminal forum monitoring for Stryker admin credentials being sold or discussed. Infostealer logs regularly expose enterprise credentials months before anyone weaponises them. Coalition’s analysis specifically flagged stolen credentials from infostealer malware as a likely initial entry point.
Privilege escalation — A new Global Administrator account appearing in Microsoft Entra ID is an extremely high-severity event in any environment. Connected monitoring flags that action the moment it happens.
Threat intelligence overlap — Handala’s VPN brute-force campaign against Stryker infrastructure, documented by Check Point, could have been cross-referenced with the 2024 breach data. That correlation would have identified Stryker as an active target months before the wipe.
Total cost of the Stryker incident — manufacturing downtime, shipping disruption, device replacement, investigation, SEC filing obligations, reputation — hasn’t been fully tallied. For reference, IBM’s 2025 Cost of a Data Breach Report has the average at $4.44 million globally, $10.22 million in the US. Given the scale across 79 countries and the operational disruption at a company of Stryker’s size, the actual figure is almost certainly several multiples of that.
European Commission: Breached Twice in Eight Weeks, Monitored Separately Each Time
First Breach — February 2026
February 6. The European Commission disclosed that its mobile device management infrastructure had been compromised. Attack traces showed up on January 30. Containment took nine hours from detection.
The entry point: critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile. Same MDM platform the Commission uses to manage staff devices. Staff names and mobile numbers were potentially accessed. The Commission stated that no mobile devices themselves were confirmed compromised.
Timing matters here. Ivanti published its own security advisory on January 29, 2026. One day before the Commission detected the intrusion. The Dutch Data Protection Authority and Judicial Council were hit through the same Ivanti vulnerabilities in a parallel campaign — work data including names, email addresses, and phone numbers accessed in that incident as well.
Second Breach — March 2026
March 24. Attackers accessed cloud infrastructure hosting Europa.eu, the Commission’s public web platform. The Commission confirmed on March 27 that data had been extracted from affected websites. Internal systems, they emphasised, were not touched.
ShinyHunters claimed it. 350GB allegedly stolen — databases, mail server contents, confidential contracts. BleepingComputer confirmed the data came from the Commission’s AWS account.
Two breaches at the same institution inside eight weeks. Different vulnerabilities. Different attackers — the first connected to state-sponsored exploitation of Ivanti flaws, the second claimed by ShinyHunters, a cybercriminal outfit. Different infrastructure entirely — internal MDM systems versus external AWS-hosted web properties.
Why This Is a Textbook Visibility Failure
February and March were handled as separate incidents. Technically, they were. Different holes, different threat actors, different systems.
From a risk standpoint, though, they tell one story. An institution under active targeting — already breached once — got breached again through an entirely different surface within weeks. The first incident exposed weaknesses in MDM infrastructure. The second exploited a completely separate surface (AWS cloud hosting) that apparently wasn’t placed under the heightened scrutiny that should have followed the February incident.
What connected monitoring would have changed:
Attack surface mapping — Continuous scanning of all externally facing Commission infrastructure, AWS-hosted Europa.eu included, would have flagged that environment as part of the total exposure picture alongside the compromised MDM systems.
Post-incident alert elevation — After February, a unified approach would have automatically raised detection sensitivity across every Commission-associated asset. Not just the MDM platform that was already hit.
Threat actor tracking — ShinyHunters had been active all through Q1 2026. Crunchbase in January. Figure Technology Solutions in February. Telus in March. Monitoring their known infrastructure and targeting patterns could have flagged the Commission as a probable next target before March happened.
The fact that two separate breaches occurred at the same institution within two months — and were apparently monitored, investigated, and responded to independently — is exactly the fragmented visibility problem that unified digital risk monitoring is designed to address.
PayPal: Customer SSNs Exposed for 165 Days, Detected by Code Review
What Happened
December 12, 2025. PayPal’s internal security team found a code error in its PayPal Working Capital loan application. The bug had been exposing customer PII to unauthorised access since July 1, 2025. That is 165 days of exposure before anyone caught it.
The faulty code was rolled back on December 13 — one day after discovery. Breach notification letters went to affected customers on February 10, 2026. Nearly two months after the fix.
What was exposed: names, email addresses, phone numbers, business addresses, Social Security numbers, dates of birth. PayPal’s filing with Massachusetts authorities and reporting by PYMNTS.com put the directly affected count at approximately 100 customers.
Some of those customers had unauthorised transactions on their accounts as a direct result. PayPal confirmed refunds were issued, passwords were reset, and two years of Equifax credit monitoring was offered.
Why 165 Days of Silence Matters
PayPal framed it as contained. Around 100 customers. A code error, not a hack. Systems “not compromised.”
Small incident. Enormous principle.
A company processing $1.53 trillion in total payment volume per year had customer Social Security numbers sitting exposed for over five months. Not because of a sophisticated intrusion. Because of a routine code update that nobody checked for security impact before it shipped.
IBM’s 2025 report measured the average breach lifecycle at 241 days — 158 to identify, 83 to contain. PayPal’s 165-day detection window falls almost exactly on that average. Breaches caught inside 200 days cost $3.61 million on average. Those exceeding 200 days: $5.49 million. A $1.88 million difference driven purely by how fast you notice.
PayPal came in under 200 days. Barely. And this was a small exposure. Scale the same detection gap to a larger incident and the financial damage scales with it.
What Would Have Caught It Sooner
Application behaviour monitoring — Continuous scanning of externally facing application endpoints can detect when an API starts returning data it shouldn’t. A loan application endpoint suddenly leaking PII fields would register as anomalous in automated monitoring.
Dark web tracking — Once Social Security numbers and dates of birth are accessible to unauthorised parties, that data tends to show up in criminal marketplaces. Monitoring for PayPal-associated customer records on the dark web could have flagged the exposure through downstream indicators even if the code bug itself wasn’t immediately visible internally.
Identity exposure correlation — If any exposed customer credentials surfaced in other breach databases or infostealer logs during the 165-day window, cross-referencing those signals with active PayPal accounts would have raised the alarm earlier than internal code review eventually did.
The uncomfortable part of PayPal’s incident isn’t the number of customers affected. It’s how long the door was open. Five months. Detected by internal review, not by any monitoring system. For one of the largest payment platforms on earth, that gap isn’t a one-off error. It’s a structural blind spot.
What Connects All Three
Different companies. Different industries. Different attackers. Different methods. Same underlying failure pattern.
| Stryker | European Commission | PayPal | |
|---|---|---|---|
| Attack method | Admin credential compromise → device wipe via Intune | Zero-day (Ivanti) + AWS cloud breach | Code error exposing PII |
| Detection trigger | Devices went blank (visible damage) | Internal MDM monitoring + external claim | Internal code review |
| Pre-attack signals | Months of VPN brute-force attempts, prior 2024 breach, infostealer credential exposure | Active targeting by multiple threat groups, Ivanti advisory issued one day prior | Application behaviour change, potential dark web data surfacing |
| Detection gap | Attack staged over months, executed in hours | Feb breach didn’t prevent March breach at same institution | 165 days |
| What unified monitoring adds | Identity + threat intel + privilege escalation correlation | Cross-surface visibility + post-breach alert elevation | Continuous config monitoring + dark web correlation |
In each case, the signals were there. Scattered across different surfaces — threat intelligence feeds, dark web marketplaces, admin console logs, vulnerability advisories, application behaviour patterns. No single tool catches everything. But a view that connects those surfaces would have surfaced the pattern earlier than it was actually detected in all three incidents.
IBM’s data supports this structurally. Organisations deploying AI and automation extensively across security operations saved $1.9 million per breach on average and cut the breach lifecycle by 80 days. The top cost-mitigating factors from the 2025 report — DevSecOps ($227,192 saved), AI/ML security insights ($223,503), threat intelligence sharing ($211,906), encryption ($208,087) — are all components that unified digital risk monitoring brings under one roof.
Average data breach in 2025: $4.44 million globally. $10.22 million in the United States. Healthcare breaches: $7.42 million average, 279 days to detect and contain. These aren’t hypothetical numbers. Stryker is a healthcare technology company. PayPal operates under financial services regulation. The European Commission manages data for 450 million EU citizens.
Fragmented visibility has a cost. It showed up three times in the first three months of 2026 — at three organisations that, by any reasonable measure, had the resources and the capability to have caught the problem sooner.
This content is technically fact-checked by CyberNX.
These are actually impressive ideas in about blogging.
You have touched some fastidious factors here.
Any way keep up wrinting.
Thanks for ones marvelous posting! I truly enjoyed reading it, you
might be a great author. I will make certain to bookmark your blog and may come back very soon. I want to encourage continue your great job, have a nice weekend!
I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours.
It’s pretty worth enough for me. Personally, if all
web owners and bloggers made good content as you did, the web
will be much more useful than ever before.
fantastic post, very informative. I ponder why the opposite specialists
of this sector do not understand this. You must proceed your writing.
I’m sure, you have a great readers’ base already!
Good day! This post couldn’t be written any better!
Reading this post reminds me of my old room mate! He always kept talking about this.
I will forward this page to him. Pretty sure he will have
a good read. Thank you for sharing!
Fantastic beat ! I would like to apprentice while
you amend your web site, how could i subscribe for a blog site?
The account aided me a acceptable deal. I had been a little bit acquainted
of this your broadcast provided bright clear
concept
Hello there! This post could not be written any better!
Reading this post reminds me of my good old room mate! He always kept talking about this.
I will forward this write-up to him. Pretty sure he will have a good
read. Thank you for sharing!
Excellent weblog right here! Additionally your web
site rather a lot up very fast! What web host are you the usage of?
Can I get your affiliate hyperlink in your host?
I want my site loaded up as quickly as yours lol
If you desire to increase your familiarity only keep visiting this site and be updated with the most recent
information posted here.
Hello there! I could have sworn I’ve been to this
web site before but after browsing through many of the posts I realized it’s new to me.
Anyways, I’m certainly pleased I came across it and I’ll
be bookmarking it and checking back often!
Hi there, constantly i used to check web site posts here in the early hours in the daylight,
since i like to find out more and more.
Hi, Neat post. There is a problem together with your website in web explorer,
would test this? IE still is the market chief and a huge portion of
other folks will pass over your great writing due to this problem.
With thanks. Excellent stuff!
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed
surfing around your blog posts. In any case I’ll be subscribing to your feed and I hope you
write again soon!
Hi there, I enjoy reading through your post. I like to write a little
comment to support you.
Appreciating the time and effort you put into your website
and detailed information you present. It’s nice to come across
a blog every once in a while that isn’t the same old rehashed information. Wonderful read!
I’ve bookmarked your site and I’m including your RSS
feeds to my Google account.
It is in reality a nice and useful piece of info. I am satisfied that you
shared this useful info with us. Please stay us
up to date like this. Thank you for sharing.
I enjoy what you guys are usually up too. This sort of clever work and reporting!
Keep up the fantastic works guys I’ve included you guys
to blogroll.
My family every time say that I am killing my time here at net,
however I know I am getting know-how everyday by reading thes pleasant articles.
Aw, this was an extremely good post. Taking a few minutes and actual effort to create
a top notch article… but what can I say… I put things off a lot
and never seem to get nearly anything done.
Hello my friend! I wish to say that this post is awesome, great written and include approximately all vital
infos. I’d like to peer more posts like this .
I needed to thank you for this very good read!! I absolutely enjoyed every little
bit of it. I have got you saved as a favorite to look at new things you post…
This article provides clear idea in favor of the new
users of blogging, that truly how to do running
a blog.
I truly love your site.. Excellent colors & theme.
Did you develop this website yourself? Please reply back as I’m hoping to create my own personal blog and want
to learn where you got this from or just what the theme is called.
Thank you!
If you would like to grow your knowledge simply keep visiting this web site and be updated with the most recent news update posted here.
Simply wish to say your article is as amazing.
The clarity to your post is simply cool and that i could
think you are an expert on this subject. Well with your
permission let me to seize your RSS feed to keep updated with drawing close
post. Thanks one million and please carry on the enjoyable
work.
This paragraph is in fact a pleasant one it assists new net viewers, who are wishing in favor of blogging.
Thank you for some other informative website. The place else could I am getting that
kind of information written in such an ideal approach?
I’ve a undertaking that I’m just now operating on, and I have been at
the look out for such information.
I like the valuable info you provide in your articles. I’ll bookmark your weblog and
check again here frequently. I’m quite sure I’ll
learn lots of new stuff right here! Good luck for the next!
Hello, Neat post. There is a problem with your website in web
explorer, would test this? IE nonetheless is the market chief and a huge component to people will miss
your magnificent writing due to this problem.
Hello, after reading this remarkable article i am also delighted to share my know-how here
with mates.
It’s hard to come by educated people for this topic, however, you seem
like you know what you’re talking about! Thanks
Hey! Would you mind if I share your blog with my zynga group?
There’s a lot of folks that I think would really appreciate
your content. Please let me know. Thank you
Wow! Finally I got a web site from where I be able to
actually get valuable information concerning my study and knowledge.
Nice post. I learn something new and challenging on blogs I stumbleupon on a daily basis.
It’s always interesting to read articles from other writers and use a little
something from other sites.
It’s genuinely very difficult in this full of activity life to listen news
on TV, thus I simply use world wide web for that purpose, and
take the most recent news.
These are actually great ideas in concerning blogging. You
have touched some fastidious factors here. Any way keep up
wrinting.
It’s really a cool and helpful piece of info. I’m happy that you
simply shared this helpful info with us. Please keep us informed like this.
Thanks for sharing.