What happened
West Pharmaceutical Services, a Pennsylvania-based manufacturer of injectable pharmaceutical packaging and delivery systems, disclosed a ransomware attack that occurred on May 4, 2026, prompting a global shutdown and isolation of affected on-premise infrastructure. The company filed an 8-K with the SEC on May 7 and has retained Palo Alto Networks’ Unit 42 for containment, system restoration, and investigation.
The attack involved data exfiltration before file-encrypting ransomware was deployed. West Pharmaceutical Services told the SEC it has taken steps intended to mitigate the risk of dissemination of the exfiltrated data, language that implies negotiations with the attackers may have occurred or been initiated. No ransomware group has publicly claimed responsibility, which SecurityWeek noted may suggest a ransom was paid. The company has not confirmed the type of data stolen, whether personal information was involved, or how many individuals may be affected.
The containment measures disrupted business operations globally, with core enterprise systems now restored and critical shipping, receiving, and manufacturing processes restarted at some sites. Restoration of remaining sites is still in progress and a complete recovery timeline has not been finalized. The company has notified law enforcement and said it has not yet determined whether the attack has had a material impact on its financial condition or results of operations.
Founded in 1923 and headquartered in Exton, Pennsylvania, West Pharmaceutical Services supplies packaging and drug delivery systems to pharmaceutical manufacturers worldwide.
Who is affected
West Pharmaceutical Services’ global operations and workforce faced direct disruption across manufacturing and logistics functions. The pharmaceutical manufacturers that rely on West’s packaging and delivery systems as a critical supply chain input face potential downstream impact if production delays affect their own manufacturing schedules. The scope of any personal data exposure has not been confirmed.
Why CISOs should care
A ransomware attack that disrupts a major pharmaceutical packaging supplier creates ripple effects across the drug manufacturing supply chain. West Pharmaceutical Services produces components used in injectable drug delivery, meaning production delays can affect pharmaceutical companies’ ability to ship finished products. For security leaders in the pharmaceutical and life sciences sectors, this incident is a reminder that supply chain resilience extends to packaging and component suppliers, not just active pharmaceutical ingredient manufacturers.
The language around mitigating dissemination of exfiltrated data is also worth noting. It suggests the company is managing the data exposure risk separately from the operational recovery, which is an increasingly common double-extortion dynamic that requires parallel legal, communications, and technical response tracks.
3 practical actions
- Assess your pharmaceutical supply chain exposure to West Pharmaceutical Services production delays: If your organization sources injectable packaging or drug delivery components from West, initiate contact with your account team to understand current production capacity, alternative sourcing options, and projected restoration timelines to inform your own manufacturing planning.
- Review ransomware incident response playbooks to ensure data exfiltration is treated as a parallel workstream from the start: West’s disclosure indicates data was exfiltrated before ransomware deployment, a standard double-extortion sequence. Ensure your incident response plans treat data exfiltration investigation as an immediate and parallel priority alongside containment and restoration, rather than a secondary concern addressed after systems are recovered.
- Evaluate SEC 8-K disclosure readiness for material cybersecurity incidents: West filed its 8-K three days after the May 4 incident. Review your organization’s materiality assessment process and internal escalation procedures to ensure you can meet SEC cybersecurity disclosure requirements within the expected timeframe if a comparable incident occurs.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business. He produces editorial content across multiple industries, including executive-focused security media, translating complex technical topics into clear, authoritative copy for professional audiences.