Skip to content

Insights

Stryker Security Breach – How Important Is MFA?

Key Takeaways

  • Global Admin Access = Total Exposure: Compromising a single Global Administrator account gave attackers unrestricted control, allowing them to create new admin accounts, execute commands, and wipe thousands of devices.
  • Phishing & Credential Stuffing Are Highly Effective: The breach highlights how social engineering and reused credentials remain major vulnerabilities, especially when tied to high-privilege accounts.
  • MFA Is Critical – But Must Be Phishing-Resistant: Basic MFA isn’t enough; organizations need stronger, phishing-resistant MFA and tighter privileged access controls to prevent unauthorized admin access.
  • Least Privilege & Multi-Approval Reduce Risk: Limiting user permissions and requiring multiple admin approvals for critical actions can significantly contain damage and help detect malicious activity early.

On March 11th, 2026, Stryker, a global medical technology firm, experienced a Microsoft related incident that led to (allegedly) 200,000 devices being compromised; this included servers, work computers, corporate phones, and even personal devices that were enrolled in the company portal. Over 59,000 people and (allegedly) 50 Terabytes (TB) of data were exfiltrated from Stryker across 79 countries. A hacktivist group linked to Iran’s Ministry of Intelligence, Handala, has claimed responsibility for the hack.

How Did It Happen?

Within Microsoft In-Tune, Microsoft’s cloud-based endpoint management tool, there are a plethora of different roles, privileges, or permissions. But the role with the function of doing anything and everything, Global Administrator, was compromised. Using phishing and stuffing scams to gain access to an existing Global Administrator account, the attackers were able to create their own Global Administrator account.

Phishing is a type of social engineering cyberattack where scammers deceive individuals into revealing sensitive information or installing malware by pretending to be a trusted source – often by sending malicious links for users to visit or download from. Whereas stuffing is an automated cyberattack that inserts stolen usernames and passwords into the login fields to gain access to an account for malicious activity. This information is usually obtained via the dark web from previous data breaches – and assumes that individuals re-use the same login across multiple websites (which is why the name of the family dog is not a good password).

Once the group created their own Global Administrator account, the possibilities were endless (and unrestricted). With Global Administrator privileges, the group was able to run default commands configured by In-Tune – in this case, built-in wipe all commands. At Stryker, a Mobile Device Management (MDM) policy is configured. This is essentially a set of security rules, functions, and configurations enforced on corporate or personal devices (phones, laptops, tablets). This includes employees enrolled in Bring Your Own Device (BYOD) policies. BYOD allows employees to use select company programs and apps on their personal phones. All devices linked to In-Tune and MDM policy were remotely wiped and factory reset.

CISA’s Call to Action for Companies Using In-Tune

Following the attack, Cybersecurity & Infrastructure Security Agency (CISA), released a critical alert for companies using In-Tune or any other endpoint management software.

  1. Use principles of least privilege when designing administrative roles.
    • Essentially, assign the minimum needed privileges for a user to complete their daily job functions.
  2. Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
    • Configure endpoint management software to block unauthorized access to privileged functions, like passkeys.
  3. Configure access policies to require Mult Admin Approval.
    • We get it, another push notification is tedious – but, an added layer that requires another “admin” approval ensures that malicious activity like this will be caught and flagged.

McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place as well as provide you with recommendations to detect, respond to, and mitigate and recover from breaches and other cybersecurity events. For more information on these services and more, be sure to visit our SOC services page, as well as our Cybersecurity services page, and don’t hesitate to reach out to contact us with any questions.

About the Author

Max Cooper

Max Cooper joined McKonly & Asbury in 2026 and is currently an Advisory Senior with the firm’s SOC team.

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us