March 2026: Wiper Attack Paralyzes Stryker as BPO Breaches & Data Thefts Sweep the Month

March 2026 brought a heavy concentration of significant cyber incidents across healthcare, outsourcing, software supply chains, and the entertainment sector. A politically motivated wiper attack against a major medical device manufacturer drew particular attention, while a sprawling supply chain campaign compromised trusted developer tooling across multiple ecosystems. Two separate breaches at business process outsourcing providers demonstrated how a single compromise can cascade across dozens of downstream organizations, and healthcare data continued to be a primary target, with millions of patient records exposed through third-party systems and academic research infrastructure. Across these incidents, delayed detection and slow victim notification emerged as recurring failures.

Iran-Linked Group Wiped Over 80,000 Stryker Devices Across 79 Countries

On March 11, 2026, medical technology company Stryker Corporation suffered a destructive cyberattack attributed to Handala, a hacktivist group assessed by Palo Alto Networks as a persona operated by Iran’s Ministry of Intelligence and Security (MOIS). The group claimed the attack was retaliation for a U.S. military strike in Iran earlier that month. Attackers gained access to Stryker’s Microsoft Intune environment and abused its remote device management capabilities to wipe corporate devices at scale. More than 80,000 systems were affected, forcing Stryker to send home approximately 5,500 employees in Ireland alone and disrupt operations across 79 countries, including the U.S., India, and Australia.

A subsequent investigation by Unit 42, confirmed in a March 24 update, found that a malicious file had been used to conceal the attackers’ activity while inside Stryker’s systems. Despite earlier statements to the contrary, Stryker acknowledged the file’s role in the intrusion, though it confirmed the file was not capable of spreading beyond the environment. Order processing, manufacturing, and shipping were all temporarily disrupted. A Justice Department affidavit later cited direct impact on hospitals and emergency medical services in Maryland. The U.S. government officially attributed Handala to MOIS and took down several of the group’s online resources. Stryker confirmed the attack had a material impact on its Q1 2026 earnings, though it reported returning to full operational capacity by late March.

ShinyHunters Stole Up to 1 Petabyte of Data From Telus Digital in Multi-Month Breach

Business process outsourcer Telus Digital confirmed on March 12, 2026, that it had been the target of a significant cyberattack attributed to the ShinyHunters extortion gang. The breach was not a sudden intrusion; signs of unauthorized access had surfaced as early as January 2026.

ShinyHunters reportedly gained entry to Telus Digital’s Google Cloud Platform environment using credentials found in data stolen during the earlier Salesloft Drift breach in 2025. Once inside, they used the credential-scanning tool Trufflehog to mine downloaded data for additional access tokens, enabling lateral movement across multiple internal systems, including a BigQuery instance.

ShinyHunters claimed the total haul reached close to 1 petabyte, though independent confirmation of that figure was not established at the time of disclosure. Reports confirm a floor of at least 700 terabytes. Stolen data allegedly spans BPO customer support records, call recordings, agent performance data, AI tooling, source code, FBI employee background check results, and Salesforce records belonging to at least 28 of Telus Digital’s client companies. The threat actors demanded $65 million and received no response. Telus Digital stated that business operations remained fully functional, engaged external forensic experts, and began notifying affected clients.

Handala and ShinyHunters were both active and well-documented long before this month’s headlines. SOCRadar’s Cyber Threat Intelligence module maintains detailed profiles on threat actors like these, covering their infrastructure, historical campaigns, preferred tactics and techniques, sector targeting, and known aliases. Whether you’re investigating an active incident or building a proactive defense posture, SOCRadar CTI gives your team the context to understand who is behind an attack, how they operate, and who they are likely to target next.

Navia API Flaw Exposed Personal Data of 2.7 Million Individuals

Navia Benefit Solutions, a U.S. benefits administrator serving over 10,000 employers, disclosed in March 2026 that an unauthorized actor had accessed and exfiltrated data belonging to roughly 2.7 million individuals. The intrusion exploited a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API, allowing the attacker to retrieve other users’ records by manipulating API request parameters. Access persisted undetected from December 22, 2025 through January 15, 2026, with Navia detecting suspicious activity on January 23.

Stolen data included full names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, and health plan enrollment details. Financial and claims data were not accessed. Among the affected organizations was cybersecurity firm HackerOne, which disclosed that 287 of its employees had data exposed through Navia’s role as their benefits provider. HackerOne publicly criticized the delay in notification, having received Navia’s alert letter in March despite it being dated February 20.

The company stated it was evaluating whether to move to an alternative benefits provider if Navia’s security practices did not meet acceptable standards. No threat actor has claimed responsibility, and no confirmed misuse of the stolen data had been reported at the time of disclosure.

TeamPCP Supply Chain Campaign Compromised Trivy, Checkmarx, and Multiple Package Ecosystems

In March 2026, a threat actor tracked as TeamPCP executed a cascading software supply chain attack that spread across CI/CD pipelines, package registries, and developer tooling over the course of roughly a week. The campaign originated from a remediation gap following a February 27 “Pwn Request” attack against Aqua Security’s Trivy project, which had left a CI/CD service account token exposed. On March 19, TeamPCP exploited that access to push a malicious Trivy release, turning the trusted distribution path into a credential harvesting channel. Malicious versions of related GitHub Actions began collecting secrets from runner environments, including GitHub tokens, SSH keys, cloud credentials, and Kubernetes material, and exfiltrating them in encrypted archives.

The campaign expanded rapidly. Malicious Docker images were pushed directly to Docker Hub, dozens of npm packages were poisoned through a self-propagating worm called CanisterWorm, and compromised PyPI credentials were used to publish malicious litellm and Telnyx SDK releases. By March 23, the actor had pivoted into Checkmarx infrastructure, compromising two GitHub Actions workflows and publishing malicious OpenVSX developer extensions through a hijacked account. A destructive payload variant also emerged, targeting systems configured with Iranian locale settings and capable of wiping Kubernetes nodes. Telegram activity attributed to TeamPCP indicated the group intended to continue operating and had accumulated substantial stores of stolen credentials for further use.

Crunchyroll Investigated a Breach After Hacker Claimed Access to 6.8 Million User Records

Anime streaming platform Crunchyroll began investigating a claimed breach on or around March 22, 2026, after a threat actor contacted media outlets to describe unauthorized access gained on March 12. According to the actor, an employee of Telus Digital (acting as a BPO support provider for Crunchyroll) had malware executed on their workstation, granting the attacker access to that employee’s Okta SSO account. Using that access, the attacker connected to Crunchyroll’s Zendesk support system and extracted approximately 8 million support tickets over a 24-hour window before their access was revoked.

The attacker claimed the records contained 6.8 million unique email addresses, along with usernames, login names, IP addresses, general geographic locations, and the contents of support tickets. A demand of $5 million was sent to Crunchyroll but received no response.

Crunchyroll confirmed the incident was under investigation and stated that the compromised data appeared limited to customer service ticket information originating from a third-party vendor. The company found no evidence of ongoing unauthorized access. A class action lawsuit was filed on March 24 in California federal court, alleging negligence and failure to monitor vendor security practices.

TriZetto’s Year-Long Breach Exposed Health Data of 3.4 Million Patients

TriZetto Provider Solutions, a healthcare IT company owned by Cognizant, disclosed in early March 2026 that hackers had accessed its external web portal and stolen personal and health information belonging to 3,433,965 individuals. The intrusion began on November 19, 2024, but was not detected until October 2, 2025. Affected providers were notified on December 9, 2025, and patient notification letters began going out on February 6, 2026.

The compromised records were tied to insurance eligibility verification transactions, a function that sits between healthcare providers and insurers during patient intake. Exposed data varied by individual but included names, dates of birth, addresses, Social Security numbers (SSNs), Medicare beneficiary numbers, health insurance details, and provider information. Financial account and payment card data were not affected.

TriZetto offered 12 months of complimentary credit monitoring through Kroll to impacted individuals. No ransomware group has claimed responsibility, and no evidence of identity fraud linked to the breach had been reported at the time of disclosure.

University of Hawaii Cancer Center Ransomware Attack Compromised 1.2 Million Records

The University of Hawaii Cancer Center disclosed on February 27, 2026, that a ransomware attack detected on August 31, 2025, had resulted in the exposure of personal data belonging to approximately 1.24 million individuals. The attack targeted servers within the center’s Epidemiology Division and did not affect clinical operations, patient care systems, or student records. The extensive encryption of affected systems prolonged the forensic process, delaying the university’s ability to determine the full scope of the breach.

The exposed data fell into two groups. Roughly 87,493 participants in the Multiethnic Cohort (MEC) Study, a long-running epidemiological research project active between 1993 and 1996, had health-related research records exposed. An additional approximately 1.15 million individuals were affected through historical driver’s license records collected in 2000 and Honolulu voter registration files from 1998, both of which had been used for research recruitment and contained Social Security numbers.

The university confirmed that it paid a ransom to obtain a decryption tool and a commitment from the attackers to destroy the stolen data, though no public confirmation of that destruction was made. No specific threat actor was named in the disclosure.

Monitor Your Exposure With SOCRadar Dark Web Monitoring

Data breaches often result in stolen records and credentials quietly appearing in underground forums, paste sites, and private leak channels well before any official notice reaches victims.

SOCRadar’s Dark Web Monitoring keeps watch across these sources around the clock, covering:

• Leaked credentials and compromised accounts
• Stolen corporate and customer data
• Threat actor mentions of your organization
• Exposed source code and internal documents

So your team gets an early warning instead of a late surprise.