Stryker Internal Microsoft Attack Wipes Tens of Thousands of Devices, Disrupts Ordering Systems
What Happened – A threat actor compromised a Global Administrator account in Stryker’s Microsoft Intune environment and issued the remote‑wipe command, erasing data from roughly 80,000 employee devices (including personal devices enrolled in the corporate network). The attack was limited to Stryker’s internal Microsoft environment; no malware or ransomware was deployed and no evidence of data exfiltration was found.
Why It Matters for TPRM –
- Credential‑based abuse of a cloud‑based endpoint management platform can silently destroy corporate data and halt business‑critical processes.
- Supply‑chain and ordering systems that rely on the compromised environment may experience prolonged downtime, affecting downstream customers.
- Personal data on employee‑owned devices can be lost, raising privacy and compliance concerns for organizations that permit BYOD enrollment.
Who Is Affected – Healthcare and life‑sciences organizations that source medical devices, digital health solutions, or procurement services from Stryker; any third‑party relying on Stryker’s ordering or transactional platforms.
Recommended Actions –
- Review contracts and service‑level agreements with Stryker for clauses covering cloud‑admin security and incident response.
- Verify that your own BYOD or device‑enrollment policies limit corporate control over personal data.
- Request evidence of Stryker’s remediation steps, including MFA enforcement for privileged accounts and audit of Intune admin activity.
Technical Notes – Attack vector: stolen Global Administrator credentials used to invoke the Intune “wipe” command (no CVE or malware involved). Data types impacted: personal files on employee devices; no patient‑health data or product firmware was compromised. Source: BleepingComputer