Stryker’s Stolen Data Could Have Been Worthless
On March 11, 2026, an Iran-linked hacker group called Handala walked into Stryker Corporation’s Microsoft environment, wiped tens of thousands of devices, and claimed to walk out with 50 terabytes of data. Stryker is a $22.6 billion medical technology company. Their systems were current. Their policies were in place. None of it stopped this.
The device wipes got the headlines. The data theft should get your attention.
How Stryker was Compromised
Handala did not need special tools. They compromised a single administrator account, created a new global admin account of their own, and then used Microsoft’s own device management software to issue remote wipe commands across Stryker’s global network. By 8 a.m. UTC, over 80,000 devices were gone. Manufacturing stopped. Shipping stopped. Order processing went dark. Former CISA Director Chris Krebs called it a five-alarm fire. That is accurate. But the fire everyone is watching is not the only one that was lit.
50 Terabytes of Pure Leverage
Handala claims they took 50 terabytes of data before they started wiping. Stryker has not confirmed or denied that number. If it is true, that data likely includes design files, supplier contracts, hospital records, and employee information. That is not just a number; it is leverage. It can be used for fraud, phishing, extortion, and resale on the dark web for years to come.
The wipes disrupt. The stolen data endures. You can recover from a wipe. You can rebuild devices and restore systems. You cannot un-ring the bell on exfiltrated data. Once it is out, it is out.
The Standard Protection Model Wasn’t Built for This
Most organizations encrypt data at rest and in transit. That means your data is protected when it is sitting in storage and when it is moving between systems. What it does not protect is the data layer itself; the place where your systems read, process, and store the actual content of your files.
At the moment, Handala’s compromised admin account reached into Stryker’s environment, the data in that layer was decrypted and readable. That is how standard systems work. The protections had already been satisfied. The door was open.
Sliding Doors: Same Scenario With A Different Outcome
What if Handala’s exfiltrated cache of data turned out to be nothing but worthless data hashes? All that effort and no payoff if the data was secured at the data layer with continuous encryption. (Where a system admin’s credentials, or even a developer’s would not grant them access to the data layer.)
Donoma Seshat is an encryption engine built for exactly this exposure window. It is not traditional hardware-powered homomorphic encryption; there is no performance penalty. Authorized users work as usual. What changes in this alternative scenario is what happens to the data itself: it remains encrypted at the data layer during active use, not just while sitting in storage.
Any data stored and processed through Seshat’s encryption layer would have left Stryker’s environment as cipher text, regardless of how it was accessed. An attacker pulling files from storage takes home content that is unreadable without the decryption infrastructure it came from. They could not read it, sell it, or use it to build convincing phishing attacks against Stryker’s hospital clients and suppliers.
The leverage disappears.
The device wipes would still have occurred. Seshat is not an endpoint protection tool; that is a different problem with different solutions. But the persistent, long-term threat from that exfiltrated data would have been neutralized.
Why This Matters for Healthcare
Medical technology companies sit at the intersection of sensitive patient data, supply chain records, and in some cases national security considerations. (Stryker sells into the Department of Defense.) Their devices are in operating rooms around the world. The data they hold is not just commercially sensitive; it is clinically sensitive.
That profile is not unique to Stryker. Every major healthcare technology company carries some version of it. The attack on Stryker is being called unprecedented in its scale for a U.S. company targeted by this group. It will not stay unprecedented for long.
Handala said this is “only the beginning of a new chapter in cyber warfare.” Security analysts are taking that at face value.
The Security Gap Is Known
The vulnerability here is not a mystery. Data-in-use encryption is the gap the industry has acknowledged for years and not been able to address at scale. Instead, the approach has been to control data security by controlling data access. The Stryker breach is a live example of what happens when access control fails; and access control always has a failure mode.
The Question Worth Asking
If your organization experienced what Stryker experienced on March 11, and an attacker walked out with 50 terabytes of your data, how much of it would be usable to them?
That question has a cost attached to it. So does the answer. The difference is that one of those costs you can control. If you want to talk about what it would take to run a proof of concept in your environment, we are ready when you are. Schedule a no obligation solution briefing to learn more.
Resources
Red Hat’s $100M Cyber Breach Problem Is Likely Yours Too
The Encryption At Rest Myth: Why Your Encryption Strategy Fails to Protect Data
