As we reported last week, Stryker was attacked by Iranian-backed hackers in retaliation for Israeli and U.S. strikes against Iran. It was a significant cyberattack, known as a wiper attack. A wiper attack is designed not to extort money from a victim, but instead to send a message and destroy the victim’s data to cripple their operations. Stryker was a victim of a political attack that had a significant negative effect on its business operations. It was merely conducting business and got caught in the crosshairs of an international war.
Stryker has been transparent about the incident and how it has affected its products. Being a victim of a wiper attack is bad enough. But unfortunately, it became victimized again when, while responding to the cyberattack, it was sued by a former customer service employee alleging that Stryker failed to secure data and alleging a data breach. It is confounding to me to try to understand how the plaintiff can possibly allege a data breach when the attack just happened and an investigation was just starting.
The facts surrounding the Stryker attack will continue to develop, and Stryker will no doubt comply with an legal obligations that ultimately arise from the incident. That said, it is deeply disappointing to see an opportunistic plaintiff and counsel hit Stryker before facts are known, before any notification letters are sent (if even applicable), and while the company was down and actively responding to a significant attack.
Stryker should be allowed the time to assess what happened, respond appropriately, restore its operations, and complete its investigation before anyone determines whether a viable claim exists. Filing suit within days of the incident is premature and only serves as a distraction.
I feel particular empathy toward Stryker, as it took the hit for a political message—something that could have happened to any company. We should learn from this incident and support the company, rather than pile on while it is still working to recover.
