West Pharmaceutical Services SEC 8-K Item 1.05 — data exfiltrated, systems encrypted, global operations partially restarted (2026-05-11)

UPDATE (originally covered 2026-W21): West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion (SEC EDGAR 8-K/A, 2026-05-20). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.

West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing facilities, with the data investigation still ongoing. Closing the loop on the W20 disclosure: the manufacturing-line continuity risk this audience was tracking has resolved; the residual is the data-scope determination.

Data exfiltrated, systems encrypted, global operations partially restarted. SEC 8-K Item 1.05 disclosure — single-source as of week-end with no independent corroborating breach analysis. Operational relevance to Swiss / EU public-sector defenders: West Pharmaceutical supplies drug-delivery components into EU pharmaceutical-manufacturing supply chains; the "global operations partially restarted" language indicates ongoing IT-side recovery that may yet propagate downstream supply-chain impact (daily 2026-05-12).

West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.

Defender takeaway: A double-extortion event against an OT-adjacent pharmaceutical packaging manufacturer is a high-supply-chain-risk template — West Pharma's elastomeric closures, vials and drug-delivery devices feed European biopharma packaging lines including those of national-formulary suppliers. EU public-sector procurement teams handling pharmaceutical resilience plans should validate continuity-of-supply with downstream vendors that source closures or delivery devices from West. Detection pivot for analogous targets: large-volume SMB enumeration, VSSAdmin / WBEM shadow-copy deletion (T1490 Inhibit System Recovery), and abnormal DLP egress volume in the days preceding encryption — the encryption event is rarely the first indicator if logs are retained.