All posts by : James

A single cloud misconfiguration inside McGraw-Hill’s Salesforce environment handed attackers access to 45 million records this week. Combined with breaches at Booking.com and Basic-Fit, and ransomware data showing 88% of incidents target small and mid-size businesses, the message for business leaders is clear: the biggest threats are not exotic — they are ordinary oversights in the tools you already use.

The McGraw-Hill Breach: A Cloud Configuration Gone Wrong

On April 14, the ShinyHunters ransomware group claimed responsibility for breaching McGraw-Hill through an improperly configured Salesforce instance. The attackers did not need to crack encryption or exploit cutting-edge vulnerabilities. They walked through a door that was left open.

The result was 45 million Salesforce records exposed — names, contact details, and other personally identifiable information that can fuel identity theft, phishing campaigns, and follow-on attacks against the people in those records. For a company of McGraw-Hill’s size, the legal exposure alone could stretch into the tens of millions of dollars. For the millions of individuals whose data is now circulating in criminal marketplaces, the consequences may take years to fully surface.

What makes this breach instructive for small and mid-size business leaders is not the scale. It is the method. Salesforce, HubSpot, Zoho CRM, and similar platforms are standard tools across businesses of every size. Each one comes with dozens of permission settings, access controls, and integration points. A single misconfigured field — a permission set too broadly, an API endpoint left exposed, a user role that grants more access than intended — can turn a trusted business tool into an open window.

If your organization uses any cloud-based CRM, project management, or customer data platform, the question is not whether your configuration is complex. It is whether anyone has audited it recently.

More Breaches This Week: Booking.com and Basic-Fit

McGraw-Hill was not alone. On April 12, Booking.com confirmed that a cybersecurity incident compromised customer reservation details — full names, email addresses, postal addresses, phone numbers, and even the special requests customers had attached to their bookings. The company has not disclosed the total number of affected records, but the breadth of exposed data types is concerning. For businesses that rely on third-party booking or scheduling platforms, this is a reminder that your customers’ data security is only as strong as the weakest link in your vendor chain.

A day later, Dutch fitness chain Basic-Fit disclosed that attackers had accessed records for one million members, including bank account details for a portion of those customers. The breach impacted operations across multiple countries and underscored a pattern that has been building throughout 2026: customer-facing businesses that store payment information remain high-value targets, regardless of their industry.

Neither Booking.com nor Basic-Fit operate in what most people would consider the “cybersecurity industry.” They are a travel platform and a gym chain. That is precisely the point. Attackers are not limiting themselves to technology companies. They are going where the data is, and for most businesses, that means the customer records sitting inside everyday operational tools.

The Numbers Behind the Headlines

These individual breach stories fit into a broader pattern that every business leader should have on their radar. Current data from multiple cybersecurity research organizations paints a stark picture of the ransomware landscape heading deeper into 2026:

• 88% of all ransomware incidents now involve small and mid-size businesses. The overwhelming majority of ransomware attacks are hitting organizations with limited IT staff and smaller security budgets.
• The average cost of a ransomware incident for a small business ranges from $120,000 to $1.24 million. That figure includes ransom payments, recovery expenses, lost revenue during downtime, and the cost of rebuilding trust with customers and partners.
• 60% of small businesses that suffer a cyberattack shut down within six months. The financial and operational shock is often more than a smaller organization can absorb, especially when it hits during a period when margins are already thin.
• The top three attack methods remain exploited software vulnerabilities (32%), compromised credentials (23%), and phishing emails (18%). None of these are exotic. They are known problems with known solutions.

One additional trend worth watching: data exfiltration is now present in 87% of ransomware attacks. Criminals are not just locking your files and demanding payment. They are stealing your data first and threatening to publish it if you refuse to pay. This double extortion strategy raises the stakes significantly because even if you have reliable backups and can restore your systems, your sensitive business and customer data may still end up on the dark web.

What Business Leaders Should Be Doing This Week

The gap between awareness and action is where most businesses get hurt. Reading about these breaches is a start, but the real question is whether your organization has taken concrete steps to close the doors that attackers are walking through.

Audit your cloud configurations. If your business uses any cloud-based platform that stores customer or employee data — CRM systems, accounting software, file storage, HR tools — verify that access permissions are set correctly. Who has admin access? Are there API integrations that were set up months ago and never reviewed? Does every user have the minimum level of access they need to do their job? If you do not know the answers, that is the first problem to solve.

Patch the software CISA flagged this week. The Cybersecurity and Infrastructure Security Agency added six actively exploited vulnerabilities to its catalog this week, including critical flaws in Fortinet’s FortiClient, Microsoft Exchange Server, and Adobe Acrobat Reader. Federal agencies have until April 30 to apply fixes. Your business should not wait that long. If you use any of these products, check with your IT provider about whether patches have been applied.

Confirm your multi-factor authentication coverage. Compromised credentials account for nearly a quarter of all successful attacks. Passwords alone are not sufficient. Multi-factor authentication adds a second verification step that stops the majority of credential-based attacks. If MFA is not enabled on every business-critical account — email, financial platforms, cloud storage, CRM — enable it today.

Review your incident response plan. If a breach happened at your organization tomorrow morning, does your team know who to call, what to shut down, and how to communicate with customers? Fifty-seven percent of security incidents are first detected by someone outside the organization, not by the company itself. Having a documented, rehearsed response plan is the difference between a contained incident and a business-ending crisis.

The breaches making headlines this week did not require advanced technical knowledge to prevent. They required attention, routine maintenance, and a commitment to treating cybersecurity as an operational priority — the same way you treat payroll, legal compliance, and insurance. The businesses that take those steps consistently are the ones that stay out of the headlines.

March 2026 delivered a cross-industry attack pattern that security researchers are calling the most volatile month of the year so far: medical technology, legal data, higher education, and manufacturing each absorbed significant incidents, driven by a combination of ransomware operators seeking high-value data and geopolitically-motivated groups targeting U.S. and allied infrastructure. The breadth of this month’s incidents is itself a data point that business leaders should act on.

Stryker, LexisNexis, and the Strategic Targeting of Data-Rich Organizations

Stryker Corporation, one of the world’s largest medical technology companies, reported a significant cyberattack in March attributed to an Iran-aligned hacktivist group. The attack disrupted administrative and operational systems at multiple business units. Stryker’s products and services reach hospitals, surgical centers, and medical providers across dozens of countries — the downstream impact of any sustained operational disruption extends well beyond the company itself.

LexisNexis, the legal and professional services data platform used by law firms, financial institutions, and compliance teams worldwide, also experienced an incident in March affecting portions of its data infrastructure. The nature of the data LexisNexis manages — legal records, professional credentials, financial due diligence files, court documents — makes it a high-value target for both nation-state actors seeking intelligence and criminal operators building identity fraud capabilities. The incident is under investigation.

Both incidents share a characteristic that defines the March 2026 threat environment: attackers are targeting organizations for their data value, not their revenue size. Stryker’s medical data and LexisNexis’s legal records have intelligence value far exceeding any ransom that could be extracted. The strategic motivation behind these attacks extends beyond financial extortion to information collection — a pattern that security agencies in the U.S., U.K., and EU have all flagged as an accelerating concern in 2026.

Higher Education and Manufacturing: Sectors That Underestimate Their Exposure

The University of Hawaii and several peer institutions experienced ransomware incidents in March, continuing a pattern from 2025 that saw education sector attacks increase 70 percent year-over-year. Universities hold a specific combination of data that makes them attractive targets: personal information on hundreds of thousands of students and alumni, research data with potential commercial or strategic value, financial records, and healthcare information from campus medical services. They also typically operate with fragmented IT environments and limited security staffing relative to their attack surface.

Michelin, the global tire and automotive manufacturing company, also reported a March incident, reinforcing that manufacturing sector organizations are increasingly targeted for operational disruption and intellectual property theft simultaneously. Manufacturing facilities that have integrated operational technology — connected machinery, automated production systems, supply chain software — with traditional IT networks face a particular risk: ransomware that crosses from the IT environment into operational systems can halt physical production, not just digital operations.

For small and mid-size businesses in manufacturing, healthcare services, professional services, or education-adjacent industries, March’s headlines carry a direct message: your sector is not off the target list. The incidents at Stryker, LexisNexis, and university systems involved attackers who had specifically researched these organizations’ data holdings and systems before executing their attacks. Opportunistic attacks are still common, but targeted attacks — where attackers invest weeks or months in reconnaissance before executing — are increasing in frequency.

Supply Chain and OAuth Abuse: The Technical Pattern Behind March’s Incidents

April will bring news of the March incidents’ downstream effects, as is typical of the months following major attacks. What the March data already shows is a technical pattern worth understanding: OAuth abuse and supply chain compromises are responsible for a disproportionate share of the month’s incidents. OAuth is the authentication framework that allows one application to access another on a user’s behalf — the mechanism behind “Sign in with Google” or “Connect your Slack account.”

When attackers compromise an OAuth token or abuse OAuth permissions in a connected application, they gain access to everything that token is authorized to reach — often across multiple systems simultaneously, without triggering traditional login-based detection. The proliferation of connected business applications has expanded the OAuth attack surface significantly: the average SMB now uses more than 80 cloud applications, many of which are interconnected through OAuth relationships that have never been audited.

The practical implication for business owners is that connected app permissions represent an unreviewed attack surface in most small business environments. Applications granted access to your Google Workspace, Microsoft 365, or financial systems years ago may still hold permissions that are no longer necessary. An attacker who gains access to one connected application inherits whatever access that application holds across your environment.

What Business Leaders Should Consider

1. Audit your connected application permissions this month. In Google Workspace, go to Security → API Controls → Third-party apps. In Microsoft 365, go to the Azure Active Directory portal → Enterprise Applications. Review what applications have been granted access, what permissions they hold, and whether those applications are still in active use. Revoke permissions for any application your organization no longer uses.
2. If you work in healthcare, legal, or professional services, treat your data as a strategic intelligence target, not just a compliance requirement. The March incidents demonstrate that data-rich organizations are targeted not just for ransom but for the intelligence value of the information they hold. Your response plan should account for both data theft and operational disruption scenarios.
3. Ask your IT provider about network segmentation if you have any connected operational equipment. Manufacturing, healthcare, and facilities management businesses that have connected physical equipment — machinery, HVAC, security systems, medical devices — to their business network need to confirm that a compromise of the IT network cannot reach operational systems. Network segmentation is the primary technical control for this risk.
4. Verify that your cyber insurance covers geopolitically-motivated attacks. Some cyber policies include exclusions for nation-state or politically-motivated attacks. The Iran-aligned group behind the Stryker attack places that incident in a potentially excluded category for some policy holders. Review your exclusions now.
5. Run a phishing simulation with your team in Q2. The reconnaissance-heavy, targeted attacks documented in March begin with social engineering — attackers gather information about your organization and craft highly personalized communications that are difficult to distinguish from legitimate business correspondence. A quarterly phishing simulation, even a simple one, trains your team to pause before clicking and report suspicious messages.

Security researchers have documented a decisive strategic shift in how ransomware operators select targets: attacks through shared vendors and software providers — what the industry calls supply chain attacks — are now the preferred method for maximizing impact from a single compromise. For small business owners who depend on third-party software, payment processors, IT providers, and cloud platforms, this changes the calculus of risk in ways that demand a direct response.

The Economics of Supply Chain Attacks

The Conduent breach, which was initially reported as affecting approximately 4 million individuals, grew to confirmed impact on over 25 million people by February as Texas and Oregon completed audits of affected residents. The final scope of the Conduent incident is not yet known. What is known is that Conduent was one vendor, one breach event, and the downstream impact reached government agencies, healthcare organizations, and businesses across multiple states — none of which had any visibility into the vulnerability that created the exposure.

This is the model that attackers have recognized as superior to direct targeting of individual organizations. A single compromise of a widely-used vendor delivers more victims, more leverage, and more monetization opportunities than any equivalent effort spent targeting small businesses one at a time. Ransomware-as-a-Service operators have adapted their targeting criteria accordingly: the highest-value targets are no longer the largest organizations — they are the organizations that serve the most other organizations.

The Conduent case illustrates a specific pattern: the breach was initially contained in the public disclosure, then expanded significantly as downstream organizations completed their own audits. This is typical of supply chain incidents. The vendor’s initial breach notification understates impact because they don’t have full visibility into what their clients held. The full scope emerges over weeks and months, long after affected organizations have already made their initial response decisions.

Three Supply Chain Incidents Business Owners Should Know

The pattern isn’t limited to large payment processors. In December 2025, SoundCloud, Freedom Mobile, and Leroy Merlin each reported breaches that originated with shared infrastructure or third-party providers rather than direct attacks on their own systems. In January 2026, both BridgePay’s ransomware event and the Match Group ShinyHunters claim followed similar pathways: attackers accessed platforms that served many organizations simultaneously.

For small business owners, the implications are practical rather than theoretical. If you use a managed payroll service, a cloud accounting platform, a point-of-sale system provided by a third-party vendor, or any business application that your provider hosts on shared infrastructure, you are embedded in a supply chain that attackers are actively analyzing for vulnerability. The question is not whether your vendor will be attacked. The question is whether you have the contractual protections, the monitoring, and the response plan to manage the event when it happens.

The FCC’s January 29th warning about a fourfold increase in attacks targeting SMB providers reinforced what incident data has been showing for months: the small and mid-size businesses that serve other small and mid-size businesses — IT providers, managed services firms, telecommunications companies, regional software vendors — have become primary targets precisely because of their role in the supply chain. An attacker who compromises a managed IT provider gains access to every client organization that provider manages.

What This Means for How You Evaluate Vendor Risk

Most small business owners evaluate vendors on price, service quality, and reliability. Security posture is rarely in the evaluation criteria, and almost never contractually enforced. This represents a measurable gap between the current threat environment and most businesses’ vendor management practices.

The businesses that are managing supply chain risk effectively are not doing so through sophisticated technical audits — they’re doing it through contractual requirements and basic due diligence questions. Does the vendor carry cyber liability insurance? Have they completed a SOC 2 Type II audit in the last 12 months? What is their notification obligation to clients if they discover a breach? How quickly can they demonstrate that they can restore your data from their backup systems?

These questions take 15 minutes to ask and cost nothing to require answers to. Vendors who cannot answer them should be evaluated as uninsured supply chain risk in your business continuity planning.

What Business Leaders Should Consider

1. Add four supply chain security questions to your vendor evaluation process. For any vendor who holds your data or serves as infrastructure for your operations, ask: (1) Do you carry cyber liability insurance? (2) Have you completed a SOC 2 Type II audit? (3) What is your breach notification timeline to clients? (4) Can you demonstrate a successful data restore from backup? Document the answers.
2. Review your contracts for vendor breach notification clauses. If your existing vendor contracts don’t require breach notification within 72 hours, add that language at next renewal. Most reputable vendors will accept this provision. Those who won’t are signaling something about how they handle incident communication.
3. Know what data each vendor holds and where it lives. Create a simple inventory: vendor name, what data they hold (customer records, financial data, employee information), and whether that data is encrypted at rest. This takes one hour and becomes foundational when you need to assess impact in a breach event.
4. Confirm your cyber insurance covers supply chain incidents. Many standard cyber policies exclude or limit coverage for breaches that originate with a vendor rather than your own systems. Review your policy specifically for supply chain and third-party breach coverage and request a coverage opinion from your broker on this specific scenario.
5. Establish an alternative vendor capability for your two most critical dependencies. For each vendor whose failure would halt your operations, identify a backup option. You don’t need to contract with the backup vendor. You need to know who they are, what their onboarding timeline is, and what data migration looks like. That knowledge is valuable before an emergency, not during one.

The first two weeks of 2026 have produced three incidents that underscore a theme: attackers are targeting the financial and communications infrastructure that businesses depend on, not just the businesses themselves. For small and mid-size business owners, the implication is direct — your cyber risk does not stop at your front door.

Conduent: When the Breach Your Vendor Hid Becomes Your Problem

Conduent, a business process outsourcing firm that handles payment services for government agencies and corporations across the United States, disclosed a breach initially estimated at approximately 4 million affected individuals. By late January, Texas state officials reported that 15.4 million Texas residents were affected. Oregon officials followed with 10.5 million. The total confirmed breach now exceeds 25.9 million individuals — and that number may continue to grow as more agency audits are completed.

Conduent processes payments on behalf of government agencies, healthcare organizations, and corporations. The data exposed includes names, Social Security numbers, financial account details, and personal identifiers. Critically, many of the affected individuals never had a direct relationship with Conduent — they had a relationship with an agency or employer that contracted Conduent to process their information. This is the nature of third-party breach exposure: end users bear the consequences of decisions made by organizations they’ve never interacted with.

For business owners, the Conduent breach illustrates a specific vulnerability: when you outsource a business function, you are not outsourcing the associated risk. If a vendor who processes your payroll, manages your benefits, or handles customer payments is breached, you bear responsibility for the notification, the remediation, and the reputational impact — even if the technical failure was entirely on your vendor’s side.

BridgePay and Match Group: Payment Platforms and Consumer Data Under Pressure

BridgePay, a payments platform serving government clients and municipal organizations, confirmed a ransomware attack that disrupted service and locked multiple city governments out of critical payment systems. The incident forced manual processing of transactions across affected municipalities and highlighted the cascading operational impact when infrastructure-level services experience ransomware events.

Meanwhile, the ShinyHunters ransomware and extortion group — the same group responsible for the McGraw-Hill Salesforce breach that dominated headlines last fall — claimed theft of more than 10 million records from Match Group, the parent company of Hinge, Match, and OkCupid. The claim, posted January 28th, has not been fully confirmed by Match Group, but the pattern is consistent: ShinyHunters has transitioned from opportunistic attacks to sustained campaigns targeting large platform operators with extensive user data. Their goal is not just ransom — it’s a data marketplace where stolen records fund future operations.

Together, BridgePay and the Match Group claim represent two ends of the attack spectrum in January: one targeting operational infrastructure to extract ransom through business disruption, the other targeting data repositories to monetize stolen records through extortion and resale. Both approaches affected organizations they did not directly compromise — through service dependencies and data relationships.

The FCC Warning Small Businesses Should Take Seriously

On January 29th, the Federal Communications Commission issued a formal warning documenting a fourfold increase in ransomware attacks targeting small and medium-sized providers — particularly in telecommunications, utilities, and services infrastructure — since 2021. The warning noted that these providers frequently serve as entry points to larger organizational networks, making them preferred targets for attackers who want access to multiple downstream businesses through a single compromise.

The FCC warning is significant for a reason beyond its immediate subject matter. Federal regulatory agencies do not issue public warnings lightly — this represents an assessment that the threat to infrastructure providers is severe enough to require public disclosure and industry action. Small businesses that use telecommunications providers, managed IT services, cloud platforms, or any shared infrastructure are part of the risk landscape this warning describes.

The pattern across all three January incidents is consistent: attackers are moving up the value chain to target the platforms and processors that serve many organizations simultaneously. A single breach at a payment processor or a telecommunications provider delivers far more leverage — and far more victims — than targeting individual businesses one at a time. Understanding this shift changes how business owners should evaluate their own exposure.

What Business Leaders Should Consider

1. Request your vendors’ incident response procedures in writing. If a vendor like Conduent processes data on your behalf and is breached, what are their contractual obligations to notify you? What is their timeline? Ask your key vendors to provide their incident response policy and confirm that it includes timely notification to clients.
2. Review what data your payment processor holds and for how long. Many SMBs work with payment processors who retain transaction records, employee payment data, or customer billing information far longer than necessary. Shorter data retention means less exposure in a breach event.
3. Confirm that your cyber liability insurance covers third-party breaches. Standard cyber policies vary significantly on whether they cover losses that originate with a vendor rather than with your own systems. Review your policy language specifically for third-party and supply chain coverage.
4. Add a vendor breach notification clause to new contracts this year. Contracts with service providers should require them to notify you within 72 hours of discovering a breach that may affect your data. This aligns with most regulatory requirements and gives you the time needed to respond appropriately to affected customers or employees.

The final quarter of 2025 is delivering what the data predicted all year: ransomware attacks hit 9,251 recorded incidents through November, a 45 percent increase from 2024 and the highest volume on record. For small and mid-size business owners, the headline statistic matters less than what it reveals about how attacks are changing and who is being targeted.

The Numbers Behind 2025’s Ransomware Record

Cybersecurity Ventures places global ransomware damage costs at $57 billion annually in 2025, translating to roughly $156 million per day. That figure includes ransom payments, downtime losses, data restoration costs, legal fees, and reputational damage. The ransom itself represents a fraction — the average demand for an SMB incident is $84,000. The average total recovery cost exceeds $500,000.

The IBM Cost of a Data Breach Report 2025 calculates the average cost of a ransomware-specific incident at $4.4 million across all organization sizes. For small businesses, recovery frequently follows one of two paths: organizations that absorbed significant financial damage but survived, and those that didn’t. Sixty percent of small businesses hit by a major cyberattack close within six months. One in five that experience an attack go bankrupt, according to a Mastercard survey of 5,000 SMB owners.

The 45 percent increase in attack volume between 2024 and 2025 reflects two trends converging: the rise of Ransomware-as-a-Service platforms that allow low-skill attackers to execute sophisticated campaigns, and a deliberate strategic shift toward targeting organizations with weaker defenses. Small and mid-size businesses now absorb 88 percent of ransomware incidents — not because attackers hate small businesses, but because they represent the path of least resistance to guaranteed revenue.

What Changed in 2025: Attack Methods and Entry Points

The annual shift in attack methods matters as much as the volume increase. In 2025, 32 percent of ransomware attacks entered through exploited vulnerabilities in software — meaning unpatched systems, not phishing emails. Twenty-three percent entered through compromised credentials, and 18 percent through phishing. The remainder used a mix of supply chain compromises, exposed remote access systems, and social engineering.

What this distribution tells business owners is that no single defense closes all entry points. A business that has excellent email filtering but hasn’t patched its operating systems in three months is still exposed. A business with strong passwords but no multi-factor authentication on its remote access systems is still accessible. The attack surface has expanded, and attackers are methodically searching all of it.

Double extortion — the practice of encrypting data and simultaneously threatening to publish it — was present in 87 percent of 2025 attacks, according to ransomware analysis from Huntress. This means paying the ransom no longer guarantees data stays private. Sixty-three percent of victims who experienced double extortion refused to pay, up from 46 percent in 2024, a sign that businesses are increasingly treating ransomware as a business continuity event rather than a straightforward payment decision.

The 2026 Outlook Business Leaders Should Plan Around

Three trends from 2025 are accelerating into 2026. First, AI-assisted phishing has made social engineering attacks harder to distinguish from legitimate communications — a trend that was emergent in 2025 and is becoming standard practice by year-end. Second, attackers have moved beyond encrypting local files toward targeting cloud environments, backup systems, and the management software businesses use to operate their IT — eliminating the recovery options that used to make ransomware survivable. Third, supply chain attacks have become the preferred method for scaling impact: compromise one vendor, reach hundreds of downstream businesses.

For a small business owner reading these trends, the actionable insight is not that the threat environment got worse — it’s that the threat environment is changing in specific, predictable ways. Businesses that update their defenses to account for AI-assisted attacks, cloud-targeting ransomware, and supply chain exposure will absorb the 2026 landscape differently than those operating on 2022-era assumptions.

The 9,251 attacks recorded in 2025 are not abstract statistics. They represent 9,251 decisions by specific attackers to target specific organizations they believed were within reach. Understanding what makes an organization reachable — and systematically removing those factors — is the most direct way business leaders can influence their own position in the 2026 numbers.

What Business Leaders Should Consider Before Year-End

1. Review your software patch status before January 1st. Thirty-two percent of 2025 attacks entered through unpatched vulnerabilities. A simple audit of your critical business software — operating systems, remote access tools, financial applications — and ensuring all pending updates are applied is one of the highest-return security actions available at no additional cost.
2. Verify that your backups are offline, encrypted, and tested. 2025 attacks increasingly targeted backup systems to eliminate recovery options. A backup that is connected to your network is a backup attackers can also encrypt. Offline backups, stored in a separate location and tested quarterly, remain the most reliable recovery mechanism after an incident.
3. Enable multi-factor authentication on every system that allows remote access. Compromised credentials account for 23 percent of entry points. Multi-factor authentication blocks the vast majority of credential-based attacks, including those where an employee’s password was exposed in a prior breach.
4. Set a calendar reminder for a vendor security review in Q1 2026. Supply chain attacks are accelerating. Schedule 30 minutes per key vendor to verify they carry cyber liability insurance, have completed security certifications, and can demonstrate how they protect data they hold on your behalf.
5. Know your cyber insurance coverage before you need it. Review your policy now — not after an incident. Understand what triggers coverage, what the deductible is, what categories of loss are included, and whether your coverage limits reflect your actual recovery costs at 2025-era attack prices.

Two incidents from the past week illustrate a threat pattern that few business owners have prepared for: attackers are now targeting the shared infrastructure that organizations like yours rely on daily, meaning a breach at a vendor you’ve never heard of can shut down your operations just as effectively as one at your own front door.

When the Emergency Alert System Goes Dark

On November 3rd, the INC ransomware group compromised OnSolve’s CodeRED platform — the system that powers emergency alert notifications for hundreds of municipalities and businesses across the United States. The attack halted the platform’s ability to send critical alerts, while attackers simultaneously exfiltrated resident contact data and attempted extortion.

For most business owners, this incident registered as a footnote. It shouldn’t. CodeRED is the kind of infrastructure that sits invisibly beneath everyday operations. Local governments use it for disaster alerts. Healthcare facilities use it for staff mobilization. School districts use it for closures and emergencies. When it fails, every organization that depends on it loses capability without having done anything wrong — or having any control over the situation.

That’s the core risk of what security researchers call “fourth-party exposure”: not just your vendors, but your vendors’ vendors. A ransomware group targeting one software company can simultaneously disrupt hundreds of businesses downstream. INC ransomware specifically targets platforms with many dependents because a single compromise delivers maximum leverage — more victims to extort, more pressure to pay.

Coupang Breach: 33.7 Million Records and a Lesson About Platform Dependency

Also this week, South Korean e-commerce platform Coupang reported a data breach affecting 33.7 million customer accounts. Names, email addresses, phone numbers, shipping addresses, and partial order histories were exposed. Coupang operates across multiple countries and is used by both consumers and businesses for procurement, delivery, and operations.

The scale — 33.7 million records — places this among the largest consumer breaches of the year. But the business lesson here goes beyond the record count. A growing number of small and mid-size businesses have integrated platforms like Coupang, Amazon, Alibaba, and similar marketplaces into their core operations: supplier sourcing, product delivery, client fulfillment. When these platforms experience breaches, their business customers inherit the reputational exposure whether or not they had any control over it.

Customers don’t distinguish between a breach at your vendor and a breach at you. If their information was part of a platform you directed them to, that relationship carries liability — both legal and reputational.

The Pattern Behind This Week’s Headlines

Ransomware attacks increased 45 percent in 2025 compared to the prior year, with 9,251 recorded incidents versus 6,395 in 2024. Eighty-eight percent of those attacks targeted small and mid-size businesses. The average total cost of recovery for an SMB — including downtime, data restoration, legal fees, and lost revenue — now exceeds $500,000 per incident.

What this week’s headlines confirm is that the attack surface has expanded beyond your own systems. Attackers have learned that targeting widely-used platforms multiplies their leverage. A single compromise of a shared service — an alert system, a payment processor, a cloud application — reaches thousands of dependent businesses simultaneously. The INC group’s selection of CodeRED was not accidental. It was strategic.

Business owners who evaluate their security posture only through the lens of their own infrastructure are measuring the wrong thing. The question is no longer just “how secure are we?” It’s “how secure are the services we depend on, and what happens to our business if one of them fails tomorrow?”

What Business Leaders Should Consider

1. Map your critical third-party dependencies this week. List the external platforms, software services, and vendors that would disrupt your operations if they went offline for 48 hours. Include services that feel invisible — alert systems, payment processors, scheduling tools, communications platforms.
2. Ask your vendors one question: do they carry cyber liability insurance? If your vendors are breached and your business suffers losses, their insurance is your first line of financial recovery. Vendors who can’t answer this question clearly represent uninsured risk in your supply chain.
3. Review what data you share with platforms. For each third-party service you use, understand what customer or employee data you’ve provided them. The Coupang breach exposed data that customers gave the platform directly — but in many business relationships, you are the one who shared that data on a customer’s behalf.
4. Build a 48-hour contingency for your two most critical dependencies. What would you do if your primary payment processor, your communication platform, or your key software tool went dark for two days? Write the answer down now, not during the incident.
5. Request your vendors’ SOC 2 reports or equivalent security certifications. A SOC 2 Type II report is a third-party audit of a vendor’s security controls. Vendors who have completed one can provide it. Those who haven’t represent unknown risk that belongs in your vendor evaluation process.