On March 11, 2026, a pro-Iranian group wiped 200,000 devices at one of America’s largest medical companies using a single stolen password. No malware. No ransomware. Just a legitimate IT tool turned against the company that owned it.
That was one of nine confirmed data breaches across the US and Europe in March 2026. Healthcare systems, government institutions, legal data platforms, financial infrastructure, a media streaming service, and an identity protection company all made the list. What connects them is not attacker sophistication. Most of these major data breaches in 2026 were not technically complex. What connects them is that the controls that would have stopped them were either absent, untested, or ignored.
Here is what happened, breach by breach.
1. Stryker Corporation
March 11, 2026 | Medical devices | United States
At 5 AM UTC, Stryker employees across 79 countries watched their devices go black. Iran-linked group Handala had compromised a single Microsoft Intune administrator account, created a new Global Administrator account, and used Stryker’s own device management platform to remotely wipe over 200,000 devices. No malware deployed. Manufacturing stopped. Shipping stopped. Some locations reverted to pen and paper.
Handala claimed 50TB of data stolen. Stryker found no evidence of exfiltration but confirmed the MDM wiper attack in an SEC 8-K filing. The FBI seized Handala’s websites on March 19. The US Department of Justice confirmed Handala is operated by Iran’s Ministry of Intelligence and Security. CISA issued an advisory urging all organisations to require a second administrator’s approval before any mass device action executes. That one missing control is what the entire incident comes down to.
Sources:
BleepingComputer: Stryker attack wiped tens of thousands of devices, no malware needed
TechCrunch: Pro-Iran hacktivist group says it is behind Stryker attack
TechCrunch: CISA urges companies to secure Microsoft Intune after Stryker
TechCrunch: US accuses Iran’s government of operating Handala
SecurityWeek: MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack
Stryker Official Statement
2. Cegedim Sante
Breach late 2025, confirmed March 3, 2026 | Healthcare software | France
Attackers breached Cegedim’s MonLogicielMedical platform, used by 3,800 French doctors. Cegedim detected it, filed a criminal complaint in October 2025, and said nothing publicly for four months. France24 broke the story. Cegedim confirmed on March 3.
15.8 million patient records were stolen in what became one of the largest healthcare data breaches in European history. The serious part: 165,000 files contained doctors’ free-text notes with HIV status, psychiatric diagnoses, sexual orientation, and mental health conditions. Politicians were among those exposed.
What makes this hardest to defend is that France’s data regulator CNIL had already fined Cegedim 800,000 euros in September 2024 for illegally processing this exact category of health data. The fine did not produce enough change. 15 million patients found out four months after a criminal complaint had already been filed.
Sources:
State of Surveillance: France Cegedim Sante Medical Breach 15 Million GDPR 2026
Kaseya: Week in Breach News, March 11 2026
3. Crunchyroll
March 12, 2026 | Media streaming | United States
The third-party data breach at Crunchyroll did not start at Crunchyroll. It started on a contractor’s laptop in India. An attacker phished a Telus International support agent who had Okta SSO access to Crunchyroll’s internal systems. Stolen credentials opened Zendesk, Slack, Google Workspace, and Jira. In under 24 hours, 8 million support ticket records were downloaded, and 100GB of data exfiltrated before access was revoked.
Stolen data included 6.8 million unique email addresses, IP addresses, and partial credit card information. The attacker demanded $5 million. Crunchyroll confirmed to BleepingComputer and Recorded Future News that the breach was limited to customer service ticket data via a third-party vendor. The supply chain cyberattack originated thousands of miles from any system that Crunchyroll directly controlled.
Sources:
BleepingComputer: Crunchyroll probes breach after hacker claims to steal 6.8M users’ data
TechCrunch: Crunchyroll confirms data breach after hacker claims unauthorized access
The Record by Recorded Future: Crunchyroll says hacker stole customer service ticket data
CybersecurityNews: Crunchyroll Data Breach 100GB of User Data
4. European Commission / Europa.eu
March 24, 2026 | Government | European Union
Attackers accessed cloud infrastructure hosting Europa.eu on March 24. The Commission confirmed on March 27 that data was taken from affected websites while internal systems remained unaffected. ShinyHunters claimed responsibility, alleging 350GB, including databases, mail server contents, and confidential contracts. BleepingComputer confirmed the stolen data came from the Commission’s AWS account.
This was the second European Commission breach in 2026. A February intrusion had already exposed staff names and mobile numbers via the Commission’s own MDM infrastructure. Two cybersecurity incidents at EU institutions in under two months is a targeting pattern, not bad luck.
Sources:
TechCrunch: European Commission confirms cyberattack
BleepingComputer: European Commission confirms data breach after Europa.eu hack
Help Net Security: Second data breach at European Commission this year
The Register: European Commission admits breach of public web systems
5. LexisNexis Legal and Professional
Breach February 24, confirmed March 3, 2026 | Legal data | United States
Threat actor FulcrumSec exploited the React2Shell vulnerability in an unpatched LexisNexis frontend application to enter their AWS environment. The flaw had been publicly known for months. Overpermissioned IAM roles then let the attacker move from the frontend container into production databases and directly into AWS Secrets Manager, where 53 credentials were stored in plaintext.
2.04GB exfiltrated: 3.9 million database records, 21,042 customer accounts, and among 400,000 exposed user profiles, 118 belonged to federal judges, DOJ attorneys, and SEC staff. LexisNexis confirmed the breach, stating the stolen data was primarily legacy information predating 2020. An unpatched known vulnerability combined with overpermissioned cloud access roles is not bad luck. It is a predictable outcome.
Sources:
BleepingComputer: LexisNexis confirms data breach as hackers leak stolen files
SecurityWeek: New LexisNexis Data Breach Confirmed After Hackers Leak Files
Mishcon de Reya: Monthly Cyber Threat Report Issue 15
6. Aura
March 18, 2026 | Identity protection | United States
Someone called an Aura employee, impersonated a trusted contact, and asked for system access. The employee gave it. The attacker had access for approximately one hour before Aura terminated the account.
900,000 records accessed, including names, email addresses, home addresses, and phone numbers. Aura confirmed 20,000 current and 15,000 former customers were directly affected, with the remainder being marketing contacts from a 2021 acquisition. ShinyHunters subsequently claimed the identity theft breach. No Social Security numbers, passwords, or financial information were compromised.
Aura sells identity theft protection to consumers. The attack method, a convincing voice on the phone, is now replicable at scale by anyone with a short audio sample and an AI voice tool. This will not be the last time.
Sources:
BleepingComputer: Aura confirms data breach exposing 900,000 marketing contacts
SecurityWeek: Security Firm Aura Discloses Data Breach Impacting 900,000 Records
7. Ericsson US
Breach April 2025, disclosed March 2026 | Telecommunications | United States
A third-party service provider used by Ericsson was breached in April 2025. Personal information belonging to more than 15,000 individuals, including names, government ID numbers, and financial details, was accessed. Ericsson disclosed publicly in March 2026. Eleven months after the breach.
For eleven months, those 15,000 people could not monitor for fraud, freeze credit, or take any protective action because nobody told them. The breach was a third-party failure. The eleven-month silence was a contractual one.
Sources:
Innovate Cybersecurity: Top 10 Cybersecurity News March 16 2026
Data Breaches Digest: Week 11 2026
8. University of Mississippi Medical Center
Attack February 19, claimed March 12, 2026 | Healthcare ransomware | United States
Ransomware hit UMMC on February 19. All 35 clinic locations closed. Epic EHR went offline for nine days. Surgeries cancelled. Imaging suspended. Staff documented patient care by hand. Some patients were redirected to other facilities entirely.
On March 12, Medusa claimed responsibility, demanding $800,000 and threatening to leak stolen data by March 20. The FBI and Department of Homeland Security were brought in. UMMC fully reopened on March 2 after restoring systems. Medusa is a ransomware-as-a-service operation believed to be based in Russia, historically targeting healthcare because operational downtime there is a patient safety event, not a business inconvenience. Attackers price ransoms accordingly. Read more about building resilience against these attacks in our Ransomware Readiness Assessment guide.
Sources:
BleepingComputer: Mississippi medical center closes all clinics after ransomware attack
BleepingComputer: Mississippi medical center reopens clinics hit by ransomware attack
The Record: Medusa ransomware gang claims attack on Mississippi hospital
SecurityWeek: Mississippi Hospital System Closes All Clinics After Ransomware Attack
9. Marquis Software Solutions
Attack August 2025, disclosed March 2026 | Financial services | United States
Marquis Software Solutions provides data analytics, CRM, and compliance services to over 700 US banks and credit unions. On August 14, 2025, attackers compromised a SonicWall firewall and deployed ransomware, stealing names, dates of birth, Social Security numbers, and financial account information. 74 downstream banks were disrupted. Marquis disclosed in March 2026, seven months after the attack. The confirmed figure of 672,000 affected individuals came from filings with state Attorney General offices. Marquis subsequently sued SonicWall, alleging security failures enabled the compromise.
One provider. 74 institutions. Seven months before anyone outside the company knew.
Sources:
BleepingComputer: Marquis ransomware gang stole data of 672,000 people in 2025 cyberattack
BleepingComputer: Marquis sues SonicWall over backup breach that led to ransomware attack
SecurityWeek: Marquis Data Breach Affects 672,000 Individuals
What March 2026 Actually Tells Us
Five of the nine data breaches in March 2026 entered through a third party or outsourcing partner. Three were disclosed months after they occurred, leaving hundreds of thousands of people unable to protect themselves in the interim. Two of the biggest required no technical sophistication beyond a stolen credential and a phone call. One publicly known vulnerability sat unpatched long enough to give an attacker a clear path through to production infrastructure and a secrets vault.
None of these are new failure modes. The controls that would have stopped them are documented, widely available, and in most cases not expensive. The problem is the gap between what organisations know they should do and what they have actually implemented and tested.
That gap is measurable. Continuous Threat Exposure Management works by closing it continuously, across your own environment and your entire third-party ecosystem, before attackers find it first. Every incident above had an exposure window. The question is whether yours is visible to you or only to them.
Frequently Asked Questions
Why do companies wait months to disclose a data breach?
Most delays come from ongoing forensic investigations, legal caution, and in some cases, deliberate concealment. The US has no federal breach notification deadline for most sectors, so companies control their own timeline. The result: victims cannot protect themselves while attackers have exclusive use of the stolen data.
Why does ransomware keep targeting hospitals?
Hospitals cannot afford downtime because inaccessible records directly risk patient safety, which makes paying the ransom more likely than in any other sector. They also run legacy systems with multiple third-party connections through EHR and billing platforms, each one a potential entry point.
What is vishing, and why is it getting harder to detect?
Vishing is a phone-based attack where someone impersonates a trusted colleague or manager to obtain access or credentials. AI voice cloning now lets attackers replicate a real person’s voice from a short audio sample, making these calls nearly indistinguishable from genuine ones. Any access request arriving by phone should be verified through a separate channel before acting.
How do attackers use outsourcing companies to reach bigger targets?
BPO companies require direct access to their clients’ internal systems to do support work, making one compromised employee a gateway into dozens of organisations at once. The Crunchyroll breach happened exactly this way: one stolen Okta credential at a Telus International contractor gave access to Crunchyroll’s Slack, Zendesk, and Google Workspace without any Crunchyroll system being directly touched.