Stryker Didn’t Get Hacked. It Got Unlocked.

IT tech walking into a facility

Stryker’s Stolen Data Could Have Been Worthless

Understanding how data breaches really happen starts here: not with a sophisticated zero-day exploit, but with a single compromised administrator account. On March 11, 2026, an Iran-linked hacker group called Handala walked into Stryker Corporation’s Microsoft environment, wiped tens of thousands of devices, and claimed to walk out with 50 terabytes of data. Stryker is a $22.6 billion medical technology company. Their have skilled staff tasked with preventing these incidents. Their policies were in place. None of it stopped this.

The device wipes got the headlines. The data theft should get your attention.

How Stryker was Compromised

Handala did not need special tools. They compromised a single administrator account, created a new global admin account of their own, and then used Microsoft’s own device management software to issue remote wipe commands across Stryker’s global network. By 8 a.m. UTC, over 80,000 devices were gone. Manufacturing stopped. Shipping stopped. Order processing went dark. Former CISA Director Chris Krebs called it a five-alarm fire. That is accurate. But the fire everyone is watching is not the only one that was lit.

50 Terabytes of Pure Leverage

Handala claims they took 50 terabytes of data before they started wiping. Stryker has not confirmed or denied that number. If it is true, that data likely includes design files, supplier contracts, hospital records, and employee information. That is not just a number; it is leverage. It can be used for fraud, phishing, extortion, and resale on the dark web for years to come.

The wipes disrupt. The stolen data endures. You can recover from a wipe. You can rebuild devices and restore systems. You cannot un-ring the bell on exfiltrated data. Once it is out, it is out.

How Data Breaches Really Happen: The Standard Protection Model’s Blind Spot

Most organizations encrypt data at rest and in transit. That means your data is protected when it is sitting in storage and when it is moving between systems. What it does not protect is the data layer itself; the place where your systems read, process, and store the actual content of your files.

At the moment, Handala’s compromised admin account reached into Stryker’s environment, the data in that layer was decrypted and readable. That is how standard systems work. The protections had already been satisfied. The door was open.

Sliding Doors: Same Scenario With A Different Outcome

What if Handala’s exfiltrated cache of data turned out to be nothing but worthless data hashes? All that effort and no payoff if the data was secured at the data layer with continuous encryption. (Where a system admin’s credentials, or even a developer’s would not grant them access to the data layer.)

Donoma Seshat is an encryption engine built for exactly this exposure window. It is not traditional hardware-powered homomorphic encryption; there is no performance penalty. Authorized users work as usual. What changes in this alternative scenario is what happens to the data itself: it remains encrypted at the data layer during active use, not just while sitting in storage.

Any data stored and processed through Seshat’s encryption layer would have left Stryker’s environment as cipher text, regardless of how it was accessed. An attacker pulling files from storage takes home content that is unreadable without the decryption infrastructure it came from. They could not read it, sell it, or use it to build convincing phishing attacks against Stryker’s hospital clients and suppliers.

The leverage disappears.

The device wipes would still have occurred. Seshat is not an endpoint protection tool; that is a different problem with different solutions. But the persistent, long-term threat from that exfiltrated data would have been neutralized.

Why This Matters for Healthcare

Medical technology companies sit at the intersection of sensitive patient data, supply chain records, and in some cases national security considerations. (Stryker sells into the Department of Defense.) Their devices are in operating rooms around the world. The data they hold is not just commercially sensitive; it is clinically sensitive.

That profile is not unique to Stryker. Every major healthcare technology company carries some version of it. The attack on Stryker is being called unprecedented in its scale for a U.S. company targeted by this group. It will not stay unprecedented for long.

Handala said this is “only the beginning of a new chapter in cyber warfare.” Security analysts are taking that at face value.

The Security Gap Is Known

The vulnerability here is not a mystery. Data-in-use encryption is the gap the industry has acknowledged for years and not been able to address at scale. The architectural reason why is covered in The Encryption At Rest Myth; the post that explains exactly why the industry standard leaves data exposed during the moments that matter most. Instead, the approach has been to control data security by controlling data access. The Stryker breach is a live example of what happens when access control fails; and access control always has a failure mode.

The Question Worth Asking

If your organization experienced what Stryker experienced on March 11, and an attacker walked out with 50 terabytes of your data, how much of it would be usable to them?

That question has a cost attached to it; and the numbers are larger than most organizations model. The difference is that one of those costs you can control. If you want to talk about what it would take to run a proof of concept in your environment, we are ready when you are. Schedule a no obligation solution briefing to learn more.

Frequently Asked Questions

How do data breaches really happen in large enterprise environments?

Most major breaches do not involve sophisticated zero-day exploits. They start with a single compromised credential. Once an attacker has legitimate access, particularly administrator-level access, they can move laterally through the environment, access decrypted data during active processing, and exfiltrate it before detection systems fire. The Stryker breach followed this exact pattern.

What is the difference between a hack and credential compromise?

A hack typically implies exploiting a technical vulnerability in code or infrastructure. Credential compromise means an attacker obtains valid login credentials, through phishing, social engineering, dark web purchase, or insider access; and simply logs in as a legitimate user. From a security system’s perspective, there is nothing to stop. The Stryker breach was credential compromise: Handala did not break in; they walked in through a door that was already open to the right username and password.

Why is exfiltrated data more dangerous than device wipes?

Device wipes are disruptive but recoverable. Systems can be rebuilt, devices replaced, and operations restored within days or weeks. Exfiltrated data is permanent. Once 50 terabytes of design files, supplier contracts, patient records, and employee information leave your environment, they cannot be recalled. That data can be used for extortion, fraud, targeted phishing against your clients and partners, and resale on criminal markets for years. The operational disruption ends. The data exposure does not.

What is data-in-use encryption and how would it have changed the Stryker outcome?

Data-in-use encryption keeps data encrypted during active processing, not just at rest and in transit. Standard encryption requires data to decrypt before it can be read or processed; creating an exposure window when legitimate credentials grant access. With data-in-use encryption, even a valid administrator credential cannot access readable data. Any files exfiltrated from a continuously encrypted environment leave as ciphertext with no usable value for extortion, fraud, or resale.

Does continuous encryption affect system performance for authorized users?

Next-generation continuous encryption platforms like Seshat operate at near-native query speeds on standard CPU hardware. Authorized users work as usual. The difference is what happens at the data layer: data remains encrypted during processing, so a compromised credential or insider threat cannot extract usable information. There is no performance penalty visible to the user; the protection operates below the application layer.

Is the Stryker breach pattern common in healthcare technology companies?

Yes. Medical technology companies carry an unusually high-value data profile: patient records, device specifications, supplier relationships, and in some cases defense contracts. That combination makes them attractive targets for nation-state actors and criminal organizations alike. The attack pattern: credential compromise followed by lateral movement and bulk exfiltration, is well-documented and increasingly common. The Stryker scale was unusual; the method was not.

Additional Reading

Red Hat’s $100M Cyber Breach Problem Is Likely Yours Too

The Encryption At Rest Myth: Why Your Encryption Strategy Fails to Protect Data

The Case for Continuous Encryption in Healthcare

Seshat: Data Privacy Preservation for Enterprise