What happened, in short:
- Stryker — Iran-linked attackers got into one admin account and wiped 200,000+ devices across 79 countries through the company’s own Microsoft Intune console. No malware involved. Revenue hit confirmed in an SEC filing. CISA put out a national advisory after.
- European Commission — Breached twice in under two months. Completely different attack surfaces each time. Staff data exposed in February. 350GB allegedly taken in March. ShinyHunters took credit for the second one.
- PayPal — A code error left customer Social Security numbers, dates of birth, and business details sitting in the open for 165 days before detection. Some accounts had fraudulent transactions as a result.
None of these involved sophisticated zero-day exploits. Every one of them had warning signals that existed well before actual damage occurred. Same question applies across all three: what would catching the problem earlier have actually required?
Stryker: One Compromised Admin Account Wiped 200,000 Devices in Three Hours
What Happened
March 11, 2026. Roughly 3:30 AM Eastern. Employees at Stryker — Fortune 500 medtech company, $25.1 billion in 2025 revenue, 56,000 people on payroll — started their mornings to blank screens. Laptops wiped clean. Phones reset to factory settings.
Where login pages should have been, the logo of Handala. Iranian hacktivist group. Tied to Iran’s Ministry of Intelligence and Security.
No malware was deployed. No exotic zero-day was burned.
They had Global Administrator access to Stryker’s Microsoft environment. From there they used Microsoft Intune — Stryker’s own device management system — to push remote wipe commands across 79 countries. Between roughly 5:00 and 8:00 AM, it was done.
Intune exists so IT departments can manage, update, and wipe corporate devices remotely. That is literally its purpose. Handala used the tool for exactly what it was designed to do. Just at a scale and intent nobody at Stryker had planned for.
Stryker’s SEC 8-K filing confirmed the hit — order processing disrupted, manufacturing slowed, shipping delayed. Medical devices kept working, but commercial infrastructure went offline across the board. Financial damage was material enough to affect Q1 2026 earnings. Full disclosure expected in the April 30 earnings report.
FBI seized Handala’s web presence on March 19. CISA followed with an advisory telling all organisations to enforce multi-administrator approval before mass device actions can execute through Intune. Palo Alto Networks’ Unit 42 confirmed Handala operates as cover for Iran’s MOIS — hacktivist branding layered over state-sponsored operations for deniability.
What Risk Signals Were Already Visible
This part is hard to read in hindsight.
Check Point Research had been watching Handala’s activity in the months leading up to March 11. They documented hundreds of login attempts and brute-force attacks targeting VPN infrastructure connected to Handala’s operations. The traffic originated from commercial VPN nodes. After Iran’s January 2026 internet shutdown, some of it shifted to Starlink IP ranges — an attempt to blend into legitimate satellite traffic.
Abnormal login patterns. Brute-force attempts from unusual IP ranges. Authentication sequences that were geographically impossible. These are exactly the indicators that external threat monitoring and identity exposure analysis exist to catch.
There’s more. Stryker had already disclosed a separate breach back in December 2024 — unauthorised access that ran from May to June 2024, with PII and medical records pulled out. Whether the attackers kept persistent access from that earlier incident into the March 2026 wipe is still being investigated. But a prior breach at the same company should have raised the threshold for scrutiny on any abnormal admin activity going forward.
What connected monitoring would have surfaced:
Identity exposure — Dark web surveillance and criminal forum monitoring for Stryker admin credentials being sold or discussed. Infostealer logs regularly expose enterprise credentials months before anyone weaponises them. Coalition’s analysis specifically flagged stolen credentials from infostealer malware as a likely initial entry point.
Privilege escalation — A new Global Administrator account appearing in Microsoft Entra ID is an extremely high-severity event in any environment. Connected monitoring flags that action the moment it happens.
Threat intelligence overlap — Handala’s VPN brute-force campaign against Stryker infrastructure, documented by Check Point, could have been cross-referenced with the 2024 breach data. That correlation would have identified Stryker as an active target months before the wipe.
Total cost of the Stryker incident — manufacturing downtime, shipping disruption, device replacement, investigation, SEC filing obligations, reputation — hasn’t been fully tallied. For reference, IBM’s 2025 Cost of a Data Breach Report has the average at $4.44 million globally, $10.22 million in the US. Given the scale across 79 countries and the operational disruption at a company of Stryker’s size, the actual figure is almost certainly several multiples of that.
European Commission: Breached Twice in Eight Weeks, Monitored Separately Each Time
First Breach — February 2026
February 6. The European Commission disclosed that its mobile device management infrastructure had been compromised. Attack traces showed up on January 30. Containment took nine hours from detection.
The entry point: critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile. Same MDM platform the Commission uses to manage staff devices. Staff names and mobile numbers were potentially accessed. The Commission stated that no mobile devices themselves were confirmed compromised.
Timing matters here. Ivanti published its own security advisory on January 29, 2026. One day before the Commission detected the intrusion. The Dutch Data Protection Authority and Judicial Council were hit through the same Ivanti vulnerabilities in a parallel campaign — work data including names, email addresses, and phone numbers accessed in that incident as well.
Second Breach — March 2026
March 24. Attackers accessed cloud infrastructure hosting Europa.eu, the Commission’s public web platform. The Commission confirmed on March 27 that data had been extracted from affected websites. Internal systems, they emphasised, were not touched.
ShinyHunters claimed it. 350GB allegedly stolen — databases, mail server contents, confidential contracts. BleepingComputer confirmed the data came from the Commission’s AWS account.
Two breaches at the same institution inside eight weeks. Different vulnerabilities. Different attackers — the first connected to state-sponsored exploitation of Ivanti flaws, the second claimed by ShinyHunters, a cybercriminal outfit. Different infrastructure entirely — internal MDM systems versus external AWS-hosted web properties.
Why This Is a Textbook Visibility Failure
February and March were handled as separate incidents. Technically, they were. Different holes, different threat actors, different systems.
From a risk standpoint, though, they tell one story. An institution under active targeting — already breached once — got breached again through an entirely different surface within weeks. The first incident exposed weaknesses in MDM infrastructure. The second exploited a completely separate surface (AWS cloud hosting) that apparently wasn’t placed under the heightened scrutiny that should have followed the February incident.
What connected monitoring would have changed:
Attack surface mapping — Continuous scanning of all externally facing Commission infrastructure, AWS-hosted Europa.eu included, would have flagged that environment as part of the total exposure picture alongside the compromised MDM systems.
Post-incident alert elevation — After February, a unified approach would have automatically raised detection sensitivity across every Commission-associated asset. Not just the MDM platform that was already hit.
Threat actor tracking — ShinyHunters had been active all through Q1 2026. Crunchbase in January. Figure Technology Solutions in February. Telus in March. Monitoring their known infrastructure and targeting patterns could have flagged the Commission as a probable next target before March happened.
The fact that two separate breaches occurred at the same institution within two months — and were apparently monitored, investigated, and responded to independently — is exactly the fragmented visibility problem that unified digital risk monitoring is designed to address.
PayPal: Customer SSNs Exposed for 165 Days, Detected by Code Review
What Happened
December 12, 2025. PayPal’s internal security team found a code error in its PayPal Working Capital loan application. The bug had been exposing customer PII to unauthorised access since July 1, 2025. That is 165 days of exposure before anyone caught it.
The faulty code was rolled back on December 13 — one day after discovery. Breach notification letters went to affected customers on February 10, 2026. Nearly two months after the fix.
What was exposed: names, email addresses, phone numbers, business addresses, Social Security numbers, dates of birth. PayPal’s filing with Massachusetts authorities and reporting by PYMNTS.com put the directly affected count at approximately 100 customers.
Some of those customers had unauthorised transactions on their accounts as a direct result. PayPal confirmed refunds were issued, passwords were reset, and two years of Equifax credit monitoring was offered.
Why 165 Days of Silence Matters
PayPal framed it as contained. Around 100 customers. A code error, not a hack. Systems “not compromised.”
Small incident. Enormous principle.
A company processing $1.53 trillion in total payment volume per year had customer Social Security numbers sitting exposed for over five months. Not because of a sophisticated intrusion. Because of a routine code update that nobody checked for security impact before it shipped.
IBM’s 2025 report measured the average breach lifecycle at 241 days — 158 to identify, 83 to contain. PayPal’s 165-day detection window falls almost exactly on that average. Breaches caught inside 200 days cost $3.61 million on average. Those exceeding 200 days: $5.49 million. A $1.88 million difference driven purely by how fast you notice.
PayPal came in under 200 days. Barely. And this was a small exposure. Scale the same detection gap to a larger incident and the financial damage scales with it.
What Would Have Caught It Sooner
Application behaviour monitoring — Continuous scanning of externally facing application endpoints can detect when an API starts returning data it shouldn’t. A loan application endpoint suddenly leaking PII fields would register as anomalous in automated monitoring.
Dark web tracking — Once Social Security numbers and dates of birth are accessible to unauthorised parties, that data tends to show up in criminal marketplaces. Monitoring for PayPal-associated customer records on the dark web could have flagged the exposure through downstream indicators even if the code bug itself wasn’t immediately visible internally.
Identity exposure correlation — If any exposed customer credentials surfaced in other breach databases or infostealer logs during the 165-day window, cross-referencing those signals with active PayPal accounts would have raised the alarm earlier than internal code review eventually did.
The uncomfortable part of PayPal’s incident isn’t the number of customers affected. It’s how long the door was open. Five months. Detected by internal review, not by any monitoring system. For one of the largest payment platforms on earth, that gap isn’t a one-off error. It’s a structural blind spot.
What Connects All Three
Different companies. Different industries. Different attackers. Different methods. Same underlying failure pattern.
| Stryker | European Commission | PayPal | |
|---|---|---|---|
| Attack method | Admin credential compromise → device wipe via Intune | Zero-day (Ivanti) + AWS cloud breach | Code error exposing PII |
| Detection trigger | Devices went blank (visible damage) | Internal MDM monitoring + external claim | Internal code review |
| Pre-attack signals | Months of VPN brute-force attempts, prior 2024 breach, infostealer credential exposure | Active targeting by multiple threat groups, Ivanti advisory issued one day prior | Application behaviour change, potential dark web data surfacing |
| Detection gap | Attack staged over months, executed in hours | Feb breach didn’t prevent March breach at same institution | 165 days |
| What unified monitoring adds | Identity + threat intel + privilege escalation correlation | Cross-surface visibility + post-breach alert elevation | Continuous config monitoring + dark web correlation |
In each case, the signals were there. Scattered across different surfaces — threat intelligence feeds, dark web marketplaces, admin console logs, vulnerability advisories, application behaviour patterns. No single tool catches everything. But a view that connects those surfaces would have surfaced the pattern earlier than it was actually detected in all three incidents.
IBM’s data supports this structurally. Organisations deploying AI and automation extensively across security operations saved $1.9 million per breach on average and cut the breach lifecycle by 80 days. The top cost-mitigating factors from the 2025 report — DevSecOps ($227,192 saved), AI/ML security insights ($223,503), threat intelligence sharing ($211,906), encryption ($208,087) — are all components that unified digital risk monitoring brings under one roof.
Average data breach in 2025: $4.44 million globally. $10.22 million in the United States. Healthcare breaches: $7.42 million average, 279 days to detect and contain. These aren’t hypothetical numbers. Stryker is a healthcare technology company. PayPal operates under financial services regulation. The European Commission manages data for 450 million EU citizens.
Fragmented visibility has a cost. It showed up three times in the first three months of 2026 — at three organisations that, by any reasonable measure, had the resources and the capability to have caught the problem sooner.
This content is technically fact-checked by CyberNX.
