West Pharmaceutical Services disclosed a ransomware attack that disrupted manufacturing, shipping, and receiving operations across multiple global facilities after attackers breached its network on May 4. In a filing with the U.S. Securities and Exchange Commission, the company said hackers stole data and encrypted systems, prompting it to proactively shut down portions of its infrastructure to contain the incident.
In a separate incident, Taiwanese company Foxconn confirmed a cyberattack affecting several North American factories after the Nitrogen ransomware group claimed it stole 8TB of data and more than 11 million files from the company. Foxconn said impacted facilities are returning to normal operations but did not confirm whether customer data was compromised.
“On May 7, 2026, West Pharmaceutical Services, Inc. (the “Company”) determined that the Company has experienced a material cybersecurity attack, in which certain data was exfiltrated by an unauthorized party and certain systems were encrypted,” according to the Monday SEC filing. “Upon initial detection of an intrusion on May 4, 2026, the Company promptly activated its incident response protocols, including proactively taking systems offline globally for containment purposes, notifying law enforcement, and engaging external cyber-forensic experts. The Company’s investigation into the nature and scope of the incident remains ongoing, including the extent of the data affected.”
The filing added that the company has taken steps intended to mitigate the risk of dissemination of the exfiltrated data. “The incident and the Company’s proactive response have temporarily disrupted the Company’s business operations globally.”
Moreover, while the company has restored its core enterprise systems, and critical processes for shipping, receiving, and manufacturing have restarted at some sites with restoration of the remaining sites in process, the timeline for a complete restoration has not yet been finalized.
West Pharmaceutical added that the incident’s material impact on its financial condition and results of operations, if any, has not been determined at the time of filing.
The company said core enterprise systems have since been restored and some manufacturing operations have resumed, although full recovery timelines remain unclear. West also confirmed it engaged Palo Alto Networks Unit 42 for incident response support and notified law enforcement as it investigates the scope of the breach and the extent of compromised data.
The incident underscores growing ransomware threat facing pharmaceutical and healthcare supply chains, where cyberattacks can disrupt manufacturing operations and product distribution. West Pharmaceutical Services supplies injectable packaging and drug delivery systems used widely across the healthcare sector, raising concerns about potential downstream impacts on critical medical production environments.
Commenting on the ransomware attack, Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, assessed in an emailed statement that ransomware has completed its transition from disparate criminal hackers into a full industry. “Organizations occupying critical supply chain positions should treat ransomware as an operational assumption and invest accordingly. That means blast radius reduction and validated recovery capabilities, supported by proactive threat hunting. Perimeter defense alone is insufficient when adversaries operate with the speed and specialization of a professional operation.”
He added that “West’s SEC filing notes the company is still investigating what data was compromised. That uncertainty is a data inventory problem, and most organizations share it regardless of sector. They can tell you that systems are down. Fewer can tell you exactly what data sat in those systems and who it affects. That gap extends every phase of incident response from materiality determination to customer notification. Complete data inventory is what allows an organization to answer the first question every board and every regulator will ask after a breach. What was taken?”
“The West Pharmaceutical attack is a direct hit on the ‘sterile core’ of the global drug supply chain,” Damon Small, board of directors of Xcape, wrote in an emailed statement. “By forcing a proactive global shutdown of manufacturing and shipping, the attackers didn’t just lock servers; they paralyzed the delivery mechanism for approximately 70% of the world’s injectable drugs. This incident demonstrates that in high-stakes manufacturing, the “proactive shutdown” is often as disruptive as the malware itself, creating a massive backlog in a sector where sterile integrity and just-in-time delivery are non-negotiable.”
Small added, “This breach proves that for critical suppliers, operational downtime is a secondary threat compared to the quiet extortion of proprietary IP. The absence of a public leak site listing suggests West is likely negotiating to protect specialized packaging designs and shipping manifests that represent a single point of failure for giants like Pfizer and Moderna. Restoration of enterprise systems is only half the battle; the ‘phased’ restart of global factories reveals a deep distrust in the underlying OT segmentation that allowed a corporate IT breach to reach the production line.
True resilience in the pharmaceutical space requires a shift from reactive containment to a proactive architecture where the loss of an IT domain controller doesn’t result in a worldwide manufacturing cardiac arrest, Small observed. “In manufacturing, a ‘phased restoration’ is usually just corporate-speak for ‘we paid the ransom, and now we’re just waiting for the hackers to give us our factory back.’”
In the Foxconn cybersecurity incident, Nitrogen hackers alleged that the stolen data includes confidential project documentation, technical drawings, and internal instructions connected to major customers, including Apple, NVIDIA, Intel, Google, and Dell Technologies. Researchers reviewing leaked samples said some files appeared to contain hardware schematics and component details tied to customer projects. They warned that leaked hardware documentation could aid counterfeit manufacturing efforts or help threat actors identify vulnerabilities within hardware and firmware ecosystems.
Josh Marpet, senior product security consultant at Finite State, wrote in an emailed statement that “While this is undoubtedly a blow to Foxconn, the damage this could cause to the general public is immensely greater. Fake iPhones, fake laptops, fake merchandise of any kind, with sub-standard build quality, are not going to do the original corporate reputations any good. Plus, with the firmware and code running around, we’ve got an issue where any flaws in that firmware and software will be exploited quickly.”
He added that “Product security becomes an absolute mandate in this scenario. Luckily, there are fantastic product security companies who can help the original manufacturers. Let’s see who uses them.”
“The Foxconn breach moves the ransomware conversation from operational disruption to long-term architectural risk,” Small recognized. “While factory floors are restarting, the alleged theft of 8TB of data – specifically hardware schematics and network topologies for major clients like Intel and Google – represents a generational threat to the supply chain. This isn’t just about stolen IP; it’s about providing adversaries with a detailed roadmap of the physical and logical infrastructure that underpins global AI and data center operations.”
