Logo with a red square containing a white "N" and a dot, above the word "Neoteric" in bold, dark blue letters.
Contact

5,500 Irish Workers Locked Out Overnight. Is Your Business Next?

On 11 March 2026, Stryker’s Cork and Limerick operations were paralysed by a cyberattack that used a tool millions of Irish businesses rely on every day. Here’s what happened — and what you need to do right now.

Picture this: you arrive at your desk on a Tuesday morning, open your laptop, and instead of your usual login screen, you’re staring at a hacker’s logo. Your files — gone. Your email — inaccessible. Your phone, with the work app installed — factory reset. Personal photos, gone. Banking app, gone. That’s exactly what happened to thousands of real people at Stryker’s Cork and Limerick sites in March 2026. And the terrifying reality? The tool that was used to do it is almost certainly running in your organisation right now.

What Actually Happened in Cork and Limerick

Stryker is a Fortune 500 medical technology company with over 4,000 employees in Cork — its single largest site outside the United States — and a further 1,400 across Limerick and Belfast. On 11 March 2026, an Iranian-linked hacktivist group called Handala claimed responsibility for an attack that stopped Stryker’s global operations in their tracks.

Within hours of the breach, devices across 79 countries had been remotely wiped. Employees at Cork and Limerick arrived at work to find screens displaying the Handala logo. People who had their personal phones enrolled in the company’s device management system found those devices entirely erased — eSIM cards wiped, photos deleted, banking apps gone. Staff were sent home. Assembly lines stopped. Management communicated via WhatsApp.

5,500+Irish employees unable to work
79Countries affected globally
80,000Devices remotely wiped
50TBData claimed extracted

“There’s nothing happening at the moment. The impact of this is massive.”

— Stryker Cork employee, speaking to the Irish Examiner, March 2026

How They Did It — And Why It Should Worry You

Here’s the part that should give every Irish business owner pause: this attack required no exotic malware, no custom exploit, no mysterious dark web tool. The attackers used Microsoft Intune — a legitimate, widely deployed cloud platform for managing devices — against the company that owned it.

Investigators believe Handala obtained the credentials of an administrator with Global Admin access to Stryker’s Intune environment — most likely through a phishing attack. Once inside, they created a new administrator account and used Intune’s built-in remote wipe feature to simultaneously factory-reset every enrolled device across the entire global network.

No custom code. No complicated hack. Just a stolen password, a missing security control, and a legitimately powerful tool pointed in the wrong direction.

⚠ CISA Advisory — 18 March 2026

CISA, co-authoring with Microsoft and Stryker, directed all organisations to harden Microsoft Intune: enforce least-privilege RBAC, require phishing-resistant MFA, and configure Multi Admin Approval so that a second administrator must approve any sensitive action — including device wipes. The advisory states: “Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping).” Read the full advisory: cisa.gov. Also covered by Reuters and Bloomberg.

Why Ireland Is Squarely in the Crosshairs

You might be thinking: we’re not a US multinational, we’re not a high-profile target. That assumption is exactly the vulnerability that groups like Handala rely on.

Richard Browne, Director of Ireland’s National Cyber Security Centre (NCSC), told RTÉ News after the attack: “We’re heavily dependent on a systematic, global network of services and infrastructure. We saw that in Stryker, where an entity based in the US had an incident in the US that had an impact here. That kind of thing is entirely possible in a whole range of other areas and that’s the most pressing risk we have.”

The Irish Times reported that the NCSC issued a statement confirming it was “aware of the cyber incident affecting Stryker and is liaising with the company and relevant partners,” adding that it was “continuing to monitor the situation closely and assess any impact for Ireland.”

“That kind of thing is entirely possible in a whole range of other areas and that’s the most pressing risk we have.”

— Richard Browne, Director, National Cyber Security Centre (NCSC Ireland) — RTÉ News, 20 March 2026

Is Your Business Exposed? A Simple Self-Check

If your organisation uses any of the following, you share the same attack surface as Stryker’s Irish operations:

  • Microsoft 365 or Microsoft Intune for device management
  • Cloud-based email with mobile device enrolment (including BYOD)
  • Global Administrator accounts without secondary approval controls
  • Remote or hybrid teams relying on cloud infrastructure
  • Azure Active Directory or Entra ID for identity management
✓ Quick Self-Check

Could a single administrator in your organisation wipe every device in the company without a second person’s approval? If the answer is yes — or “I don’t know” — that is the exact gap CISA’s advisory says must be closed. Enabling Multi Admin Approval in Intune directly addresses this.

5 Things Every Irish Business Must Do This Week

These five steps come directly from the CISA advisory of 18 March 2026 and from Microsoft’s own hardening guidance published in response to the Stryker incident. None require large budgets or long timelines — they require action.

  1. Audit every Global Administrator account in Microsoft Intune and Azure AD Who has admin access right now? Can any single one of those accounts — if compromised via phishing — wipe your entire device fleet without triggering an alert? Apply least privilege: every account should have only the access that their role strictly requires. Delete or demote any orphaned, dormant, or over-privileged accounts immediately.
  2. Enable Multi Admin Approval for sensitive actions in Intune CISA identified this as the single most impactful control. Requiring a second administrator to approve destructive actions — like a remote device wipe — means one stolen credential cannot cause company-wide devastation. This is a native Microsoft feature. It takes minutes to configure. It could have prevented the Stryker incident.
  3. Enforce phishing-resistant MFA on every account — especially admins The Stryker breach almost certainly started with a phishing email. Modern phishing-resistant MFA — FIDO2 hardware keys or Microsoft Authenticator with number matching — makes stolen credentials far harder to weaponise, even if an attacker has your password. Basic SMS-based MFA is not sufficient.
  4. Test your backup and disaster recovery right now — not next quarter If your systems were wiped tomorrow, how quickly could you recover? That answer is defined entirely by decisions made before the attack. Off-site, isolated backups disconnected from your primary network are the difference between a difficult week and permanent data loss. When did you last test that a recovery actually works?
  5. Run a security awareness session with your whole team this month The Stryker attack most likely started with one person clicking one link. Phishing simulations, security awareness training, and clear policies for reporting suspicious emails turn your biggest vulnerability into your strongest early warning system. Your people can be your best defence — but only if they’ve been trained.

The Bigger Picture: A New Normal for Irish Business Security

The Stryker attack is the most dramatic cyberattack ever to hit Irish soil. But security experts warn it is not an outlier — it is a preview. Ireland’s profile as a European tech hub, its deep integration with US multinationals, and its growing SME sector make it an increasingly attractive and accessible target for well-resourced threat actors.

The good news — and it genuinely is good news — is that the vulnerabilities exploited here are known, documented, and fixable. The controls that would have prevented this attack are not expensive or experimental. They are available today, to businesses of every size, and they work.

What separates organisations that survive an incident from those that don’t isn’t luck or budget. It’s the decisions made in advance — the configurations applied, the controls switched on, the culture built around security before a crisis arrives.

The Stryker attack is Ireland’s clearest signal yet: in 2026, cybersecurity is not an IT issue. It is a business continuity issue. And the time to act is before the screen goes blank.

Your Questions, Answered

What exactly was the Stryker cyberattack in Ireland in March 2026?

On 11 March 2026, Iranian-linked hacktivist group Handala claimed responsibility for a cyberattack that paralysed Stryker’s global operations. Stryker’s Cork facility is the company’s largest site outside the United States, employing over 4,000 people, with a further 1,400 across Limerick and Belfast. Over 5,500 Irish employees were unable to work. Attackers used compromised Microsoft Intune administrator credentials to remotely wipe up to 80,000 devices globally across 79 countries — including personal phones enrolled in the company’s MDM system. Recovery was described as “incredibly painstaking.”

How did the attackers exploit Microsoft Intune — and what is Intune?

Microsoft Intune is a cloud-based platform used by organisations to manage laptops, phones, and other devices remotely — including the ability to wipe a device if it is lost or stolen. The Stryker attackers obtained Global Administrator credentials for Stryker’s Intune environment (most likely via phishing), created a new admin account, and then used Intune’s legitimate remote wipe feature to simultaneously erase every enrolled device across the global network. No custom malware was needed. The attack exploited a governance failure — unchecked admin access with no secondary approval required for destructive actions.

Are Irish SMEs really at risk — or is this just a problem for big multinationals?

Any organisation using Microsoft Intune, Microsoft 365, or similar cloud-based tools faces the same fundamental attack surface. Ireland’s NCSC Director Richard Browne confirmed that “this kind of thing is entirely possible in a whole range of other areas.” Cybersecurity experts in Cork reported a very significant increase in cyber activity in the weeks following the Stryker attack. SMEs are often more vulnerable than large enterprises because they lack dedicated security teams, making them attractive targets for groups seeking high disruption with low resistance.

What is the CISA advisory and does it apply to businesses in Ireland?

Following the Stryker attack, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory co-authored with Microsoft urging all organisations using Intune to harden their environments. Key recommendations include enabling Multi Admin Approval for sensitive actions, enforcing phishing-resistant MFA, and auditing administrator access levels. While CISA is a US agency, the guidance is globally applicable — any organisation using Microsoft cloud services is affected by the same vulnerabilities and should follow the recommended steps.

How can Newtec Services help protect my Irish business from this type of attack?

Newtec Services provides managed IT and cybersecurity services tailored for Irish businesses. Our team — based across Shannon, Dublin, and Limerick — can audit your Microsoft Intune and Microsoft 365 environments, configure Multi Admin Approval and phishing-resistant MFA, implement Identity & Access Management controls, set up isolated Backup & Disaster Recovery, deliver Security Awareness Training for your staff, and provide 24/7/365 Security Operations Centre monitoring. We are ISO 27001 certified and the first IT company in Ireland to achieve Forrester Zero Trust Security certification. 98% of our clients renew their contracts year after year. Book a free consultation to get started.

Sources & Further Reading

Related Posts