Breach taxonomy
Summary
On March 11, 2026, Stryker Corporation identified a cybersecurity incident affecting its Entra ID/Active Directory environment, servers, and workstations, causing a global disruption to its Microsoft environment. Upon detection, the Company activated its cybersecurity response plan, engaged Palo Alto Networks Unit 42 for DFIR, and involved Microsoft to assist with identity infrastructure recovery. Forensic analysis by Unit 42 identified and neutralized malicious binaries and unauthorized persistence mechanisms; all known IOCs were eradicated and no unauthorized activity was detected since 2026-03-11. As of 2026-03-20 Unit 42 confirmed no active, uncontained, persistent unauthorized access; impacted systems are being rebuilt or restored from pre-compromise backups, with isolated systems remaining offline pending recovery. Filed under Item 8.01; materiality not yet determined as of filing date.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor; states only that there is no indication of ransomware or malware → UNKNOWN.
MethodsSystem OutageAccount Takeover
The March 23 Reg FD update (Palo Alto Networks Unit 42 letter) confirmed the incident targeted Stryker's Entra ID/Active Directory environment, servers, and workstations, and that malicious binaries and unauthorized persistence mechanisms were found and neutralized — indicating an identity infrastructure compromise (ACCOUNT-TAKEOVER) that caused the broader system outage (SYSTEM-OUTAGE). This contradicts the original filing's 'no indication of ransomware or malware' statement, which reflected early-stage knowledge.
AssetsRevenue ProcessCost Process
Filing describes disruptions and limitations of access to business applications supporting aspects of the Company's operations and corporate functions, indicating revenue-generating and cost-supporting business processes were impacted.
EffectsBiz Interruption
Filing states the incident caused disruptions and limitations to operations and corporate functions with the full restoration timeline unknown → BIZ-INTERRUPTION.
Business continuityPartial
Company activated its cybersecurity response plan and business continuity measures; as of 2026-03-20 all known IOCs were eradicated and no persistent threat remained, but systems are still being rebuilt or restored from backups and isolated systems remain offline → Partial.
Impact
Global disruption to Microsoft environment affecting operations and corporate functions at a major medical device company (Stryker); no financial figures or data exposure disclosed, but global operational scope at a Mega-cap company warrants a moderate score → 3.
InsuranceNot disclosed
Filing makes no mention of insurance → null.
Read the original SEC filing excerpt
Item 8.01 Other Events. On March 11, 2026, Stryker Corporation ("we" or the "Company") identified a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company's Microsoft environment. Upon detection, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cybersecurity experts to assess and to contain the threat. The Company has no indication of ransomware or malware and believes the incident is contained. The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company's information systems and business applications supporting aspects of the Company's operations and corporate functions. While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The Company has business continuity measures in place to continue to support its customers and partners. The Company's investigation of the cybersecurity incident is ongoing, and the full scope, nature and impacts, including operational and financial impacts, of the incident are not yet known. Accordingly, the Company has not yet determined whether the incident is reasonably likely to have a material impact on the Company.