This Week in Cyber: Iran Wipes Stryker's Data, 14,000 Routers Hijacked, and a Broken Button Cost $1.1 Million
Three separate storylines dominated this week, and they all point to the same uncomfortable truth: the gap between what executives think their security posture looks like and what it actually looks like is getting more expensive by the day. Stryker sent thousands of employees home. A broken opt-out button cost a company $1.1 million. And the backup software that was supposed to save everyone? It had seven critical holes in it.
Meanwhile, the threat landscape got simultaneously worse and better. INTERPOL took down 45,000 criminal servers in one of the biggest coordinated cyber operations ever — genuine good news that deserves applause. But while that cleanup crew was working, criminals were quietly infecting 14,000 home and office routers to build a fresh hideout, and poisoning Google search results so your employees download fake VPN software that steals their passwords. The bad guys are adaptive. They always have a backup plan, even when yours is compromised.
On the regulatory front, California is done warming up. A new cybersecurity audit law took effect in January — three months ago — and many companies haven't started yet. The White House reset the federal bar for what "reasonable" security means. And if you quietly told your compliance team to ease up on anti-bribery controls because you heard enforcement was slowing down, a coal executive currently on trial would like a word.
The Big Stories
1. Iran Didn't Want Money — They Wanted Chaos
Hackers linked to Iranian intelligence launched a wiper attack on Stryker, one of the world's largest medical device companies, forcing 5,000 workers at its Irish facilities to go home. Unlike ransomware, wiper attacks have one goal: delete everything and leave nothing behind. There's no payment option. There's no negotiating. If your backups aren't air-gapped — meaning physically or logically isolated from your main network — a wiper attack turns them into a very expensive pile of nothing.
2. Your Router May Be Committing Crimes Right Now
A new piece of malware called KadNap has silently infected over 14,000 routers — mostly Asus models — and turned them into a criminal relay network. Attackers route their hacking traffic through your device so that investigators trace the crime back to your address, not theirs. More than 60% of infected devices are in the United States. The fix is straightforward: update your router's firmware, change the default admin password, and if the device is old enough that it no longer receives security updates, replace it.
3. The Backup Software Everyone Relies On Had Seven Critical Holes
Veeam — the backup software used by a massive portion of the corporate world — patched seven critical vulnerabilities this week, some scoring a near-perfect 10 out of 10 on the danger scale. The worst flaw lets any user with basic network credentials run commands on your backup servers remotely. Backup servers hold the keys to your entire kingdom. If an attacker owns your backups, they don't just lock your files — they eliminate your escape route. Patch this immediately.
4. A Broken Button Cost $1.1 Million
PlayOn Sports, a platform used by schools for digital ticketing and streaming, became the first company fined by California's privacy regulator specifically for student data violations. The fine was $1.1 million. The violation? An opt-out button that existed on screen but didn't actually work — and the company was quietly selling student data to third parties. California's Privacy Protection Agency (CalPrivacy) is fully in enforcement mode, and they are clearly hunting for companies that handle data on minors. If your product touches anyone under 18, test your privacy controls today. Not next quarter. Today.
5. AI Put an Innocent Grandmother in Jail for Six Months
Angela Lipps, a grandmother from Tennessee, spent nearly six months behind bars after an AI system used by Fargo police wrongly matched her face to a bank fraud suspect. She had nothing to do with the crime. This is not a hypothetical risk scenario from a think tank — it happened, it's documented, and lawsuits are coming. If your business uses AI to make decisions that affect people's lives — identity checks, fraud flags, background screening, credit decisions — you now have a very concrete example of what happens when you can't explain how the system works or prove its accuracy rate. Courts and regulators are asking exactly those questions.
6. INTERPOL Took Down 45,000 Criminal Servers — Actual Good News
In a coordinated sweep across 72 countries, INTERPOL dismantled 45,000 malicious servers used to launch phishing, malware, and ransomware attacks globally. Ninety-four people were arrested. This is one of the largest single takedowns of criminal cyber infrastructure ever recorded. The practical effect for your business: fewer attack campaigns in the near term, because criminals need time to rebuild. Historically, that window lasts a few months. Use it.
7. California's Cybersecurity Audit Law Is Already in Effect — And Many Companies Have Missed It
As of January 1, 2026, California requires certain businesses to conduct formal, independent cybersecurity audits — think of it like a financial audit, but for how you protect data. The law applies to companies that process large volumes of consumer data or engage in high-risk data practices. This is not a future deadline. It took effect three months ago. CalPrivacy has already demonstrated it will fine companies that aren't compliant. If you do significant business in California and haven't started this process, call your privacy counsel today.
Security Watch
Fake VPN Downloads Are Stealing Employee Passwords
Microsoft flagged a campaign where criminals are rigging Google search results so that employees searching for legitimate VPN software — like Cisco or Palo Alto tools — land on fake download pages instead. The fake files are digitally signed to look real, but they silently steal login credentials. Train your employees to download software only from official vendor sites, not search results.
Chrome Has Two Actively Exploited Flaws — Update Today
Google pushed emergency patches for two high-severity Chrome vulnerabilities that attackers were already exploiting before the fix was available. This is a patch-today-not-this-weekend situation. Check that auto-updates are enabled across your organization.
Microsoft's March Patch Covers 84 Flaws — Two Were Already Public
Microsoft's monthly security update fixed 84 vulnerabilities, including eight rated critical. Two of the flaws were publicly known before patches were ready, meaning attackers had a head start. Prioritize this month's Windows updates.
North Korean Hackers Stole Millions After Developer Accepted an AirDrop File
A North Korean hacking group compromised a crypto company after a developer accepted a file transfer via Apple AirDrop onto their work device. The file was malware. The attackers used that single foothold to move through the company's cloud systems and steal millions. Remind your team: AirDrop from strangers is a threat vector, not just an annoyance.
Privacy Pulse
Your Ad Data Is Being Sold to the Government — No Warrant Required
A detailed report confirmed that U.S. government agencies are buying location and behavioral data from the same advertising brokers your marketing team uses. Because it's a purchase rather than a legal demand, no warrant is needed. Data you generate through ad networks doesn't stay in the ad ecosystem — and regulators on both sides of the Atlantic are treating this as a serious compliance issue that will create new restrictions on behavioral advertising.
FBI Searches of Americans' Data Up 35% — Your Customers Are Paying Attention
New figures show the FBI increased its searches of a foreign intelligence database containing Americans' communications by 35% in 2025. Data collected for one purpose is routinely accessed for entirely different purposes — and your customers increasingly understand this and factor it into their trust decisions.
Ring's AI Camera Feature Is a Cautionary Tale for Every Product Team
Ring's Super Bowl debut of an AI feature using neighborhood camera footage to find lost pets triggered an immediate and intense public backlash. The lesson: launching AI-powered features that involve surveillance — even for wholesome reasons — without a clear privacy story and genuine consent will blow up in your face. Every product team should be asking this question before launch, not after.
UK Is Writing New Rules for AI That Interacts With Kids
The UK government launched a national consultation on children's online experiences, with a specific focus on new obligations for AI systems that interact with minors. The consultation runs through May 2026. If you operate digital products accessible to children in the UK, new AI-specific restrictions are coming — and now is the time to provide input and start preparing.
Compliance Corner
FCPA Enforcement Isn't Paused — A Coal Executive Is on Trial Right Now
A former Corsa Coal executive is on trial on FCPA (Foreign Corrupt Practices Act — the anti-bribery law) charges while a co-conspirator cooperates with prosecutors. The company went bankrupt. If your team quietly relaxed anti-bribery controls because you heard enforcement was slowing down, this trial is your wake-up call. Individual executives are being prosecuted, not just companies, and cooperating witnesses make convictions much easier.
Sanctions Enforcement Is Hitting Mid-Market Companies Now, Not Just Big Banks
OFAC (the U.S. Treasury's sanctions enforcement arm) issued 14 enforcement actions in 2025, and the targets are shifting toward mid-market and non-financial companies. If you have international suppliers, customers, or partners in high-risk regions, your sanctions screening program needs to be current, documented, and actually working.
The White House Just Reset the Bar for What 'Reasonable' Cybersecurity Means
The Trump administration released a new national cybersecurity strategy and an Executive Order targeting cybercrime. The practical implication: the federal definition of "reasonable" security practices is moving upward. Companies that haven't reviewed their security posture recently may find themselves exposed in future enforcement actions or litigation when this new standard is applied.
Your Warranty Language Might Be a Right-to-Repair Lawsuit Waiting to Happen
Gaps between written warranty terms, customer support scripts, and consumer-facing communications are emerging as a significant liability under right-to-repair regulations. If your warranty says one thing and your support team says another, that inconsistency is legally exploitable. A quick cross-check of your warranty documentation is cheap insurance.
Financial Firms Using AI Writing Tools Have a Supervision Gap Right Now
FINRA (the financial industry regulator) built its communications review process for human-speed output. AI tools are producing client-facing content — emails, reports, recommendations — far faster than existing supervision frameworks can handle. If you're in financial services and your advisers are using AI writing tools, you likely have a compliance gap today. Expect formal guidance before the end of 2026.
The Bottom Line
This week handed executives three questions worth answering before Friday: Are your backups truly isolated from your main network — or could a wiper attack destroy them too? If your product touches minors' data, do your opt-out controls actually function when tested? And if you use AI to make decisions about people, can you explain how it works and prove its error rate? Those aren't hypothetical board-meeting questions anymore. They're the questions regulators and plaintiff attorneys are already asking.
If you do one thing this week: Patch Veeam backup software immediately, and ask your IT team to confirm that your backups are stored somewhere a network attacker couldn't reach. The Stryker attack is a reminder that recovery is only possible if your backups survive. Everything else on this list can wait until Monday. This one can't.