Cyber Incident Victim: West Pharmaceutical Services
Date:
May 2026
Location:
United States of America
Summary
West Pharmaceutical Services experienced a ransomware attack that led to the proactive shutdown and isolation of affected on‑premise infrastructure, disrupting global operations. The company retained Palo Alto Networks’ Unit 42 for containment, restoration, and investigation, notified law enforcement, and reported that core enterprise systems have been restored while critical shipping, receiving, and manufacturing processes have restarted at some sites with work ongoing elsewhere. Attackers exfiltrated data before deploying file‑encrypting ransomware, and the firm is investigating the scope of the stolen information and has taken steps intended to mitigate the risk of its dissemination. The company has not identified the ransomware group responsible, and no known group has claimed responsibility for the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 4, 2026, West Pharmaceutical Services experienced a ransomware intrusion that prompted the company to initiate a proactive shutdown and isolation of its affected on‑premise infrastructure. The containment action was taken after the attackers had already exfiltrated data from the systems before deploying file‑encrypting ransomware. As a result of the shutdown, the company’s business operations were disrupted globally. West Pharmaceutical Services disclosed the incident in a filing with the Securities and Exchange Commission on May 12, 2026.
To manage the incident, the company engaged Palo Alto Networks’ Unit 42 threat intelligence and incident response team to assist with containment, system restoration, and investigation. It also restricted access to enterprise systems and activated its crisis management protocols. Law enforcement was notified of the attack. By the time of the SEC filing, West Pharmaceutical Services reported that its core enterprise systems had been restored and that critical processes for shipping, receiving, and manufacturing had restarted at some sites, while work continued to restore the remaining sites. The company noted that a timeline for complete restoration had not yet been finalized.
The attackers had exfiltrated data prior to encryption, and West Pharmaceutical Services said it is investigating the extent of the information affected. The company did not identify the ransomware group responsible for the intrusion but stated that it has taken steps intended to mitigate the risk of dissemination of the exfiltrated data, a measure that the article suggests might indicate a negotiated settlement. SecurityWeek observed that no known ransomware group had claimed responsibility for the attack, which could imply that a ransom was paid. West Pharmaceutical Services has not yet determined whether the incident will have a material impact on its financial condition or results of operations, and it has not disclosed the type of data stolen, whether personal information was involved, or how many individuals might be affected.