A Misconfigured Setting Exposed 45 Million Records This Week — Is Your Business Next?
A single cloud misconfiguration inside McGraw-Hill’s Salesforce environment handed attackers access to 45 million records this week. Combined with breaches at Booking.com and Basic-Fit, and ransomware data showing 88% of incidents target small and mid-size businesses, the message for business leaders is clear: the biggest threats are not exotic — they are ordinary oversights in the tools you already use.
The McGraw-Hill Breach: A Cloud Configuration Gone Wrong
On April 14, the ShinyHunters ransomware group claimed responsibility for breaching McGraw-Hill through an improperly configured Salesforce instance. The attackers did not need to crack encryption or exploit cutting-edge vulnerabilities. They walked through a door that was left open.
The result was 45 million Salesforce records exposed — names, contact details, and other personally identifiable information that can fuel identity theft, phishing campaigns, and follow-on attacks against the people in those records. For a company of McGraw-Hill’s size, the legal exposure alone could stretch into the tens of millions of dollars. For the millions of individuals whose data is now circulating in criminal marketplaces, the consequences may take years to fully surface.
What makes this breach instructive for small and mid-size business leaders is not the scale. It is the method. Salesforce, HubSpot, Zoho CRM, and similar platforms are standard tools across businesses of every size. Each one comes with dozens of permission settings, access controls, and integration points. A single misconfigured field — a permission set too broadly, an API endpoint left exposed, a user role that grants more access than intended — can turn a trusted business tool into an open window.
If your organization uses any cloud-based CRM, project management, or customer data platform, the question is not whether your configuration is complex. It is whether anyone has audited it recently.
More Breaches This Week: Booking.com and Basic-Fit
McGraw-Hill was not alone. On April 12, Booking.com confirmed that a cybersecurity incident compromised customer reservation details — full names, email addresses, postal addresses, phone numbers, and even the special requests customers had attached to their bookings. The company has not disclosed the total number of affected records, but the breadth of exposed data types is concerning. For businesses that rely on third-party booking or scheduling platforms, this is a reminder that your customers’ data security is only as strong as the weakest link in your vendor chain.
A day later, Dutch fitness chain Basic-Fit disclosed that attackers had accessed records for one million members, including bank account details for a portion of those customers. The breach impacted operations across multiple countries and underscored a pattern that has been building throughout 2026: customer-facing businesses that store payment information remain high-value targets, regardless of their industry.
Neither Booking.com nor Basic-Fit operate in what most people would consider the “cybersecurity industry.” They are a travel platform and a gym chain. That is precisely the point. Attackers are not limiting themselves to technology companies. They are going where the data is, and for most businesses, that means the customer records sitting inside everyday operational tools.
The Numbers Behind the Headlines
These individual breach stories fit into a broader pattern that every business leader should have on their radar. Current data from multiple cybersecurity research organizations paints a stark picture of the ransomware landscape heading deeper into 2026:
- 88% of all ransomware incidents now involve small and mid-size businesses. The overwhelming majority of ransomware attacks are hitting organizations with limited IT staff and smaller security budgets.
- The average cost of a ransomware incident for a small business ranges from $120,000 to $1.24 million. That figure includes ransom payments, recovery expenses, lost revenue during downtime, and the cost of rebuilding trust with customers and partners.
- 60% of small businesses that suffer a cyberattack shut down within six months. The financial and operational shock is often more than a smaller organization can absorb, especially when it hits during a period when margins are already thin.
- The top three attack methods remain exploited software vulnerabilities (32%), compromised credentials (23%), and phishing emails (18%). None of these are exotic. They are known problems with known solutions.
One additional trend worth watching: data exfiltration is now present in 87% of ransomware attacks. Criminals are not just locking your files and demanding payment. They are stealing your data first and threatening to publish it if you refuse to pay. This double extortion strategy raises the stakes significantly because even if you have reliable backups and can restore your systems, your sensitive business and customer data may still end up on the dark web.
What Business Leaders Should Be Doing This Week
The gap between awareness and action is where most businesses get hurt. Reading about these breaches is a start, but the real question is whether your organization has taken concrete steps to close the doors that attackers are walking through.
Audit your cloud configurations. If your business uses any cloud-based platform that stores customer or employee data — CRM systems, accounting software, file storage, HR tools — verify that access permissions are set correctly. Who has admin access? Are there API integrations that were set up months ago and never reviewed? Does every user have the minimum level of access they need to do their job? If you do not know the answers, that is the first problem to solve.
Patch the software CISA flagged this week. The Cybersecurity and Infrastructure Security Agency added six actively exploited vulnerabilities to its catalog this week, including critical flaws in Fortinet’s FortiClient, Microsoft Exchange Server, and Adobe Acrobat Reader. Federal agencies have until April 30 to apply fixes. Your business should not wait that long. If you use any of these products, check with your IT provider about whether patches have been applied.
Confirm your multi-factor authentication coverage. Compromised credentials account for nearly a quarter of all successful attacks. Passwords alone are not sufficient. Multi-factor authentication adds a second verification step that stops the majority of credential-based attacks. If MFA is not enabled on every business-critical account — email, financial platforms, cloud storage, CRM — enable it today.
Review your incident response plan. If a breach happened at your organization tomorrow morning, does your team know who to call, what to shut down, and how to communicate with customers? Fifty-seven percent of security incidents are first detected by someone outside the organization, not by the company itself. Having a documented, rehearsed response plan is the difference between a contained incident and a business-ending crisis.
The breaches making headlines this week did not require advanced technical knowledge to prevent. They required attention, routine maintenance, and a commitment to treating cybersecurity as an operational priority — the same way you treat payroll, legal compliance, and insurance. The businesses that take those steps consistently are the ones that stay out of the headlines.