Full Report
On March 4, 2026, Perrigo detected a cyber security incident targeting two employee email accounts. Upon learning of the incident, we immediately contained and remediated the unauthorized access that same day. We subsequently launched an investigation with the assistance of third-party forensic specialists to determine the nature and scope of the unauthorized access. We also notified law enforcement. After completing our investigation, Perrigo determined that certain information was accessed by the unauthorized actor on March 4, 2026. With the support of third-party experts, we then began a review of the data and individuals affected. On April 23, 2026, Perrigo concluded its review of impacted data and determined that your personal information was involved.
Analysis Summary
# Incident Report: Unauthorized Access to Perrigo Employee Email Accounts
## Executive Summary
On March 4, 2026, Perrigo identified and mitigated a cybersecurity incident involving unauthorized access to two employee email accounts. A subsequent forensic investigation confirmed that an unauthorized actor accessed sensitive personal information during the brief window of compromise. The company has since completed a data review and notified affected individuals, offering 24 months of credit monitoring services.
## Incident Details
- **Discovery Date:** March 4, 2026
- **Incident Date:** March 4, 2026
- **Affected Organization:** Perrigo Company
- **Sector:** Healthcare/Commercial (Pharmaceuticals)
- **Geography:** Allegan, Michigan, USA
## Timeline of Events
### Initial Access
- **Date/Time:** March 4, 2026
- **Vector:** External system breach (Hacking)
- **Details:** Unauthorized access was gained to two specific employee email accounts.
### Lateral Movement
- **Details:** Based on the report, the incident was contained to the two targeted email accounts; no broader lateral movement within the corporate network was disclosed.
### Data Exfiltration/Impact
- **Details:** On March 4, 2026, the attacker accessed data within the compromised accounts. Following a deep-dive review concluded on April 23, 2026, it was determined that personal identifiers (PII) were compromised.
### Detection & Response
- **March 4, 2026:** Incident detected; unauthorized access was immediately contained and remediated.
- **Post-March 4:** Third-party forensic specialists engaged; law enforcement notified.
- **April 23, 2026:** Impacted data review finalized, identifying specific affected individuals.
- **May 19, 2026:** Formal written notification sent to affected parties.
## Attack Methodology
- **Initial Access:** Hacking (External system breach targeting email credentials).
- **Persistence:** None; access was remediated the same day as detection.
- **Privilege Escalation:** Not disclosed/None reported.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Compromise of two specific sets of employee email credentials.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Limited to email environment exposure.
- **Collection:** Accessing data contained within the affected email mailboxes.
- **Exfiltration:** Unauthorized actor viewed/accessed data during the intrusion.
- **Impact:** Breach of PII and potential for identity theft.
## Impact Assessment
- **Financial:** Costs associated with third-party forensic specialists, legal counsel (Baker McKenzie LLP), and 24 months of identity protection services for victims.
- **Data Breach:** Compromise of names or other personal identifiers.
- **Operational:** Minimal; remediation occurred on the day of discovery.
- **Reputational:** Required notification to State Attorney General and public disclosure via breach notices.
## Indicators of Compromise
- **Network indicators:** None disclosed in the public notice.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual login activity or unauthorized access patterns within the two affected email accounts.
## Response Actions
- **Containment:** Unauthorized access was immediately blocked and accounts secured on March 4.
- **Eradication:** Remediation of compromised accounts and forensic sweep by third-party experts.
- **Recovery:** Restoration of secure access; notification of law enforcement.
- **Victim Support:** Provision of 24 months of identity theft protection through Epiq – Privacy Solutions (3B Credit Monitoring).
## Lessons Learned
- **Key Takeaways:** Rapid detection and remediation on the same day can significantly limit the duration of an attacker's presence, though it may not prevent data access entirely.
- **What could have been done better:** While containment was swift, the gap between the incident (March) and victim notification (May) suggests that the data review process for identifying PII within mailboxes remains a time-intensive phase of the incident response lifecycle.
## Recommendations
- **MFA Implementation:** Ensure robust Multi-Factor Authentication (MFA) is enforced on all external-facing email accounts to prevent credential-based "hacking."
- **Data Minimization:** Implement policies to restrict the long-term storage of PII within email mailboxes.
- **Email Security:** Enhance monitoring for anomalous login locations or suspicious mailbox rules (e.g., auto-forwarding) to improve detection speeds.