West Pharmaceutical says hackers stole data, encrypted systems

West Pharmaceutical Services says it was the target of a material cybersecurity attack in which data was exfiltrated and some systems were encrypted. The compromise was detected May 4, 2026, with incident response actions including taking systems offline, notifying law enforcement, and engaging external forensics; core shipping and manufacturing systems have been restored and manufacturing partially restarted, but full restoration and the incident's financial impact are still undetermined. The company is working with Palo Alto Networks’ Unit 42, and no ransomware group has claimed responsibility at this time.

TechLogHub

May 13, 2026

0 views

West Pharmaceutical Services: Cyberattack Resulting in Data Exfiltration and System Encryption

IntroductionA major cyber incident has affected West Pharmaceutical Services, a global provider of injectable drug packaging, syringe and vial components, containment systems, and drug delivery devices. The organization disclosed that cybercriminals gained access to its network, exfiltrated data, and encrypted certain systems, triggering a global disruption to its operations. The incident prompted an immediate, multi-layered response across the company’s facilities, with ongoing investigations into the scope of data compromise and the extent of system impact.

What Happened

The attack led to data exfiltration and encryption of selected systems across the enterprise.
West Pharmaceutical Services detected a compromise on May 4, 2026, and initiated its incident response procedures.
On May 7, 2026, the company publicly disclosed that it had experienced a material cybersecurity incident, with data exfiltrated by an unauthorized party and various systems encrypted.

Timeline of Events

May 4, 2026: Initial intrusion detected. Immediate containment measures were activated, including the shutdown and isolation of affected on-premises infrastructure to limit the impact.
May 7, 2026: The company’s assessment concluded that a material cybersecurity incident had occurred, with data exfiltration and system encryption confirmed.
May 4–May 7, 2026: Ongoing containment, an expansion of incident response activities, and coordination with law enforcement and external experts began.
Ongoing: Restoration efforts have focused on core enterprise systems that support shipping and manufacturing operations, with manufacturing partially restarted as systems come back online.

Key Facts and Details

Nature of the incident:
Data exfiltration by an unauthorized party.
Encryption of certain enterprise systems, affecting operations.
Response actions:
Activation of incident response protocols and crisis management procedures.
Proactive shutdown and isolation of affected on-premise infrastructure for containment.
Restriction of access to enterprise systems to prevent further spread.
Notification of law enforcement and engagement of external cyber-forensic experts.
External assistance:
Palo Alto Networks’ Unit 42 was engaged to assist with incident response, containment, and recovery, in coordination with additional experts and legal counsel.
Current operational impact:
The incident disrupted global business operations, with core shipping and manufacturing systems affected.
Core enterprise systems supporting shipping and manufacturing have been restored, and manufacturing has been partially restarted. Complete restoration of all systems has not yet been achieved, and no timetable for full restoration has been provided.
Financial implications:
The company has not issued estimates regarding the incident’s material impact on financial results.
Data protection measures:
West Pharmaceutical stated that it has taken steps to mitigate the risk associated with the exfiltrated data, though exact measures have not been publicly detailed.
Ransomware attribution:
As of the latest updates, no ransomware groups had claimed responsibility for the attack.

Impact on Operations and Production

Global disruption limited production scheduling and logistics across regions as IT and manufacturing systems were temporarily offline or restricted.
The restoration process emphasized reinstating shipping and manufacturing workflows to reestablish product flow while ensuring security controls and containment measures remain in place.
The partial restart of manufacturing suggests a phased approach, prioritizing high-demand operations and critical supply chains while monitoring for any residual threats or system vulnerabilities.

Investigation and Data Scope

An ongoing investigation seeks to determine the exact scope of the incident, including which specific datasets were accessed or stolen and the potential exposure of personal or customer information.
The company continues to work with forensic experts to map attack vectors, assess security gaps, and strengthen defenses to prevent recurrence.

Company Profile and Context

West Pharmaceutical Services is a publicly traded company within the S&P 500, with annual revenues surpassing the several-billion-dollar mark and a global workforce exceeding 10,000 employees.
The firm specializes in injectable drug packaging solutions, syringe and vial components, containment systems, and advanced drug delivery devices.

What This Means for Stakeholders

Customers and partners may see temporary delays as global shipping and manufacturing systems are brought back online and validated for security and reliability.
The combination of data exfiltration and system encryption underscores the ongoing risk landscape in the pharmaceutical supply chain, highlighting the importance of robust cyber resilience measures.
Ongoing communications from West Pharmaceutical Services are expected to provide updates on restoration progress, security improvements, and any material changes to financial projections as the situation evolves.

Response Strategy and Continuing Actions

Immediate containment: Maintain strict access controls and isolate affected segments to prevent further spread.
Forensic analysis: Continue cooperation with external experts to determine attack vectors, data types involved, and remediation requirements.
Legal and compliance: Coordinate with counsel and relevant regulators to ensure proper notification and adherence to applicable laws.
Security hardening: Implement enhanced monitoring, backup validation, and segmentation improvements to reduce risk of future incidents.
Communication: Provide timely updates to stakeholders as new information becomes available, including restoration milestones and any changes to risk posture.

Context and Related Observations

The incident aligns with broader trends where data exfiltration accompanies ransomware-style encryption, prompting organizations to balance operational recovery with data protection considerations.
The involvement of a major incident response partner adds depth to containment, detection, and remediation efforts, while the lack of a claimed ransomware group indicates ongoing uncertainty about the attackers’ identity or motive.

Closing PerspectiveWest Pharmaceutical Services remains focused on restoring full operating capacity while maintaining rigorous security controls to protect data and minimize disruption to its global operations. As investigations continue and the restoration process progresses, stakeholders can expect further disclosures detailing the scope of the incident, the measures implemented to prevent recurrence, and the impact on business performance.

West Pharmaceutical Services: Cyberattack Resulting in Data Exfiltration and System Encryption

What Happened

The attack led to data exfiltration and encryption of selected systems across the enterprise.
West Pharmaceutical Services detected a compromise on May 4, 2026, and initiated its incident response procedures.
On May 7, 2026, the company publicly disclosed that it had experienced a material cybersecurity incident, with data exfiltrated by an unauthorized party and various systems encrypted.

Timeline of Events

May 4, 2026: Initial intrusion detected. Immediate containment measures were activated, including the shutdown and isolation of affected on-premises infrastructure to limit the impact.
May 7, 2026: The company’s assessment concluded that a material cybersecurity incident had occurred, with data exfiltration and system encryption confirmed.
May 4–May 7, 2026: Ongoing containment, an expansion of incident response activities, and coordination with law enforcement and external experts began.
Ongoing: Restoration efforts have focused on core enterprise systems that support shipping and manufacturing operations, with manufacturing partially restarted as systems come back online.

Key Facts and Details

Nature of the incident:
Data exfiltration by an unauthorized party.
Encryption of certain enterprise systems, affecting operations.
Response actions:
Activation of incident response protocols and crisis management procedures.
Proactive shutdown and isolation of affected on-premise infrastructure for containment.
Restriction of access to enterprise systems to prevent further spread.
Notification of law enforcement and engagement of external cyber-forensic experts.
External assistance:
Palo Alto Networks’ Unit 42 was engaged to assist with incident response, containment, and recovery, in coordination with additional experts and legal counsel.
Current operational impact:
The incident disrupted global business operations, with core shipping and manufacturing systems affected.
Core enterprise systems supporting shipping and manufacturing have been restored, and manufacturing has been partially restarted. Complete restoration of all systems has not yet been achieved, and no timetable for full restoration has been provided.
Financial implications:
The company has not issued estimates regarding the incident’s material impact on financial results.
Data protection measures:
West Pharmaceutical stated that it has taken steps to mitigate the risk associated with the exfiltrated data, though exact measures have not been publicly detailed.
Ransomware attribution:
As of the latest updates, no ransomware groups had claimed responsibility for the attack.

Impact on Operations and Production

Global disruption limited production scheduling and logistics across regions as IT and manufacturing systems were temporarily offline or restricted.
The restoration process emphasized reinstating shipping and manufacturing workflows to reestablish product flow while ensuring security controls and containment measures remain in place.
The partial restart of manufacturing suggests a phased approach, prioritizing high-demand operations and critical supply chains while monitoring for any residual threats or system vulnerabilities.

Investigation and Data Scope

An ongoing investigation seeks to determine the exact scope of the incident, including which specific datasets were accessed or stolen and the potential exposure of personal or customer information.
The company continues to work with forensic experts to map attack vectors, assess security gaps, and strengthen defenses to prevent recurrence.

Company Profile and Context

West Pharmaceutical Services is a publicly traded company within the S&P 500, with annual revenues surpassing the several-billion-dollar mark and a global workforce exceeding 10,000 employees.
The firm specializes in injectable drug packaging solutions, syringe and vial components, containment systems, and advanced drug delivery devices.

What This Means for Stakeholders

Customers and partners may see temporary delays as global shipping and manufacturing systems are brought back online and validated for security and reliability.
The combination of data exfiltration and system encryption underscores the ongoing risk landscape in the pharmaceutical supply chain, highlighting the importance of robust cyber resilience measures.
Ongoing communications from West Pharmaceutical Services are expected to provide updates on restoration progress, security improvements, and any material changes to financial projections as the situation evolves.

Response Strategy and Continuing Actions

Immediate containment: Maintain strict access controls and isolate affected segments to prevent further spread.
Forensic analysis: Continue cooperation with external experts to determine attack vectors, data types involved, and remediation requirements.
Legal and compliance: Coordinate with counsel and relevant regulators to ensure proper notification and adherence to applicable laws.
Security hardening: Implement enhanced monitoring, backup validation, and segmentation improvements to reduce risk of future incidents.
Communication: Provide timely updates to stakeholders as new information becomes available, including restoration milestones and any changes to risk posture.

Context and Related Observations

The incident aligns with broader trends where data exfiltration accompanies ransomware-style encryption, prompting organizations to balance operational recovery with data protection considerations.
The involvement of a major incident response partner adds depth to containment, detection, and remediation efforts, while the lack of a claimed ransomware group indicates ongoing uncertainty about the attackers’ identity or motive.

West Pharmaceutical says hackers stole data, encrypted systems

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Stay Updated

West Pharmaceutical says hackers stole data, encrypted systems

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Microsoft says bug in classic Outlook hides the mouse pointer

Stay Updated