Security

HomeBlogSecurity

Category: Security

Small business owner and IT consultant reviewing cybersecurity assessment together in a conference room
CategoriesBusiness,  IT CyberSecurity,  Security

Under Armour Ransomware Breach — 72 Million Customers Exposed

Another Retail Giant Falls to Ransomware

Under Armour has confirmed that a ransomware attack resulted in customer data appearing on dark web forums. The breach exposed approximately 72 million customer records—names, email addresses, purchase histories, and in some cases, partial payment information.

For context, 72 million records represents more than the entire population of California, Texas, and Florida combined. This wasn’t a small data leak. This was a catastrophic exposure of customer trust.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses protect customer data and respond to security incidents since 2002. If you’re not sure how your customer data is protected, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

The Anatomy of a Retail Data Breach

Retail companies make attractive ransomware targets for several reasons. They collect massive amounts of customer data—names, addresses, payment information, purchase histories, loyalty program details. They often operate on thin margins that make security investments compete with other priorities. And they typically have complex technology environments spanning point-of-sale systems, e-commerce platforms, supply chain integrations, and corporate networks.

When ransomware operators breach a retail environment, they don’t just encrypt files anymore. Modern ransomware attacks follow a double-extortion model: attackers steal data first, then encrypt systems. If the victim refuses to pay for decryption, the attackers threaten to publish the stolen data. If the victim still refuses, the data hits the dark web—exactly what happened with Under Armour.

According to the Verizon 2025 Data Breach Investigations Report, ransomware was present in 44% of all breaches analyzed—a significant jump from 32% the previous year. The same report found that ransomware attacks rose 37% overall year-over-year, making it the dominant attack pattern across industries.

What Happens When Customer Data Hits the Dark Web

Once customer records appear on dark web forums, they become tools for additional attacks. Here’s what typically happens:

Credential stuffing: Attackers test the stolen email and password combinations against other services. Since many people reuse passwords, a breach at one company can compromise accounts elsewhere.

Phishing campaigns: With detailed purchase histories, attackers can craft convincing phishing emails. “We noticed a problem with your recent Under Armour order” becomes much more believable when they actually know what you ordered.

Identity theft: Names, addresses, and purchase patterns provide building blocks for identity fraud. Combined with information from other breaches, attackers can construct detailed profiles of potential victims.

Secondary sales: Initial buyers on dark web forums often repackage and resell data to other criminal groups, extending the exposure window indefinitely.

The SMB Connection

Under Armour is a multi-billion dollar company with dedicated security teams and significant technology budgets. If they can suffer a breach of this magnitude, what does that mean for smaller businesses?

The uncomfortable truth: small and mid-size businesses face the same threats but often with fewer resources. According to the Verizon 2025 DBIR, 88% of breaches at small and mid-sized businesses involved ransomware. And the Sophos State of Ransomware 2025 report found that the average recovery cost from a ransomware attack—excluding any ransom payment—was $1.53 million.

But there’s a nuance here that matters. Large enterprises get breached because they’re big targets with complex environments and valuable data. SMBs get breached because they’re easier targets with fewer defenses. Different reasons, but the same devastating outcomes.

Lessons for Every Business

The Under Armour breach reinforces several security fundamentals that apply regardless of company size:

Customer data requires special protection. Not all data is equal. Information that identifies individuals—names, addresses, purchase histories, payment details—deserves the highest level of protection because the consequences of exposure are severe and long-lasting.

Backup alone isn’t ransomware protection. Double-extortion attacks mean that even if you can restore from backups, attackers still have your data. Recovery planning must account for data theft, not just system encryption.

Detection speed matters enormously. The longer attackers remain in your environment before detection, the more data they can steal. Reducing dwell time from months to days can mean the difference between a contained incident and a catastrophic breach.

Incident response planning is essential. When a breach occurs, you don’t have time to figure out who does what. Response plans, communication templates, and decision trees need to exist before you need them.

Questions to Ask Your IT Team

Whether you manage IT internally or work with a partner, these questions can help assess your readiness:

Where does our customer data live? Can you map every system, database, and application that stores or processes customer information?

How would we know if data was being exfiltrated? Do you have monitoring that would detect unusual data transfers?

What’s our ransomware response plan? Beyond restoring from backup, how would you handle a situation where attackers have already stolen data?

When did we last test our backups? Having backups is different from having working, restorable, verified backups.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses protect customer data and prepare for security incidents since 2002. If you’re not sure how your organization would handle a ransomware attack, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

Sources

security professional reviewing network access logs on multiple monitors in a standard office environment
CategoriesBusiness,  Data Breaches,  Enterprise Security,  IT CyberSecurity,  Security

Nike Data Breach Exposes 1.4TB of Internal Data

Another Major Brand Falls to Sustained Network Intrusion

Nike has confirmed it’s investigating unauthorized access that resulted in approximately 1.4 terabytes of internal data being extracted from its systems. The scale of the extraction—1.4TB is roughly equivalent to 280 million pages of documents—signals this wasn’t a quick smash-and-grab. Someone had sustained access to Nike’s internal network long enough to locate, collect, and transfer a massive volume of files.

Take the 2-Minute Cybersecurity Assessment

centrexIT has helped businesses detect unauthorized access and protect internal systems since 2002. If you’re not sure who has access to your network right now, let’s find out together.

What 1.4TB of Data Actually Means

To put that volume in perspective: the average business email is about 75 kilobytes. At that size, 1.4TB represents roughly 18 million emails worth of data. Even if Nike’s stolen files were larger documents, spreadsheets, and databases, we’re still talking about millions of files.

That doesn’t happen in an afternoon. Extracting that volume of data requires time—time to identify valuable systems, time to navigate internal networks, time to compress and transfer files without triggering alerts. This pattern matches what security researchers call “sustained access,” where attackers establish persistent presence within a network before making their move.

The Uncomfortable Reality of Dwell Time

According to IBM’s 2025 Cost of a Data Breach Report, the average time to identify and contain a breach is 241 days—the lowest in nine years, but still more than six months of unauthorized access before anyone notices something is wrong.

Nike hasn’t disclosed when the unauthorized access began or how long attackers maintained presence. But the volume of data involved suggests this wasn’t a recent intrusion discovered quickly. More likely, someone was inside Nike’s network for weeks or months, quietly mapping systems and collecting files.

This is the pattern we see repeatedly: attackers gain initial access through compromised credentials, a vulnerable application, or a third-party vendor. Then they wait. They observe. They learn how the network operates, where valuable data lives, and how to move laterally without detection.

Third-Party Access: The Blind Spot

While Nike hasn’t confirmed the attack vector, security analysts note that many recent breaches share a common entry point: third-party access. Vendors, contractors, and partners often have legitimate credentials to access portions of an organization’s network. When those credentials are compromised—or when those third parties have weak security themselves—attackers get a free pass through the front door.

A January 2026 analysis from Strobes Security found that even when core platforms remain secure, connected systems like customer support tools, vendor portals, and legacy integrations often become the weakest entry points. Security programs focused only on primary applications miss the exposure created by everyone else who can log in.

What This Means for Your Business

Nike has resources most businesses can only imagine. Dedicated security teams. Enterprise detection tools. Compliance frameworks. And still, someone extracted 1.4TB of internal data.

The lesson isn’t that security is hopeless. The lesson is that traditional perimeter-focused security isn’t enough. You need visibility into who is accessing your systems right now. You need to know what “normal” looks like so you can spot “abnormal.” And you need to assume that someone, somewhere, is already testing your defenses.

Questions every business leader should be asking right now:

Who has access to your internal systems? Not just employees—vendors, contractors, former partners. Can you account for every credential that can log into your network?

How would you know if someone was inside your network today? Do you have monitoring that would detect unusual data movement? Would you notice someone downloading files at 2 AM?

When was your last access audit? Credentials accumulate over time. That contractor from three years ago might still have valid login information.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses protect their networks and detect unauthorized access since 2002. If you’re not sure whether your current security would catch a sustained intrusion, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

Sources

Dylan Natter CEO centrexIT From the CEO Desk article about the 88 percent problem showing ransomware disproportionately targets small and midsize businesses
CategoriesBusiness,  IT CyberSecurity,  Security

The 88% Problem

I came across a number recently that I haven’t been able to shake.

88%.

That’s the percentage of ransomware breaches last year that hit small and midsize businesses. Not the big guys. Not government. Businesses like the ones we work with every day.

For larger enterprises? That number is 39%.

When I first saw that, I thought there had to be something off with the data. But it checks out. And honestly, when you think about it, the math makes sense.

Why the Shift Happened

I’ve been in this industry for over two decades now, and I’ve watched the target move. The big companies got serious. They built out security teams, layered their defenses, made themselves expensive to go after. So the attackers adjusted.

It’s kind of like that story I heard early in the pandemic about toilet paper. Remember that? Someone explained to me that we didn’t actually have a shortage. The problem was proportion. It used to be 50/50 between commercial and home use. Then overnight it went to 95/5, and the manufacturers just weren’t set up for that shift.

Same thing happened here. Small and midsize businesses adopted cloud platforms, remote work tools, all these connected systems. That’s great for productivity. But most of them moved faster on the technology than they did on the security around it.

Attackers aren’t dumb. They follow the path of least resistance. Right now, that path runs straight through the mid-market.

The Assumption That Gets People in Trouble

I still hear it from business owners all the time: “We’re not big enough to be worth going after.”

I get why people think that. But here’s what that misses.

These attacks aren’t hand-crafted for each victim anymore. They’re automated. Attackers are running broad campaigns that scan thousands of organizations at once. They don’t care about your revenue. They care about whether your door is open.

And here’s the part that really concerns me: the window between “someone got in” and “everything is locked” has shrunk to about five days. Most businesses don’t even know they’ve been compromised in that timeframe.

Then there’s this: 69% of companies that paid a ransom got hit again. Once you’re marked as someone who pays, you become a repeat target. That’s really a thing now.

What We’re Seeing Work

Look, I’m not going to pretend we have all the answers. We’re far from perfect. But after watching this play out across dozens of organizations, you start to see patterns.

The ones that stay protected tend to share a few things:

They actually know what they have. You can’t protect systems you don’t know exist. Shadow IT, old cloud accounts nobody remembers, contractor access that never got turned off. These gaps are where attackers get in.

They’ve shifted their mindset. Instead of trying to prevent everything, they’re focused on detecting and responding quickly. Perfect prevention isn’t realistic. Fast containment is.

They treat security as ongoing operations, not a one-time project. The businesses that get hit are often the ones who did an audit two years ago and figured they were covered.

They have people watching. The tools are important, but the tools alone aren’t enough. You need people who can see context, who can catch the things that don’t fit a pattern. That’s really what we mean when we talk about People-First, AI-Amplified. The technology makes the people more effective. It doesn’t replace the judgment.

The Question Worth Asking

Here’s what I’d challenge you to think about: if someone started probing your systems tonight, how long would it take you to know?

Not how long until they got in. How long until you noticed someone was trying.

If the honest answer is “I have no idea,” that’s the gap worth closing.

The 88% number isn’t going down anytime soon. But whether your organization ends up part of that statistic is still something you can control.

Let’s Talk About Where You Stand

If you’re not sure what your security gaps look like, I’m happy to spend 30 minutes walking through it with you. No pitch, no pressure. Just an honest conversation about what’s working and what’s not.

Schedule a free 30-minute session

Sources

Office desk with laptop displaying Chrome browser extensions panel, illustrating the security risk of malicious browser extensions targeting enterprise HR and business platforms.
CategoriesBusiness,  IT CyberSecurity,  Security

Malicious Chrome Extensions Stole Credentials from 2,300 Businesses

Five browser extensions were just removed from the Chrome Web Store after security researchers discovered they were stealing login credentials from enterprise HR and business platforms.

The extensions posed as productivity tools for Workday, NetSuite, and SAP SuccessFactors. Instead, they harvested authentication cookies every 60 seconds, blocked security administration pages to prevent incident response, and enabled complete account takeover—all while bypassing multi-factor authentication.

Over 2,300 users installed them before removal. Some are still available on third-party download sites.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

What Happened

On January 15, 2026, security researchers at Socket discovered five malicious Chrome extensions operating as a coordinated attack campaign. The extensions shared identical code structures, API patterns, and infrastructure despite appearing under different publisher names.

The five malicious extensions were:

  • DataByCloud 1 (1,000 installs)
  • DataByCloud 2 (1,000 installs)
  • DataByCloud Access (251 installs)
  • Tool Access 11 (101 installs)
  • Software Access (unknown installs)

All marketed themselves as tools to streamline access to enterprise platforms, promising faster workflows and bulk account management.

None delivered on those promises. Instead, they executed three distinct attack types simultaneously.

How the Attack Worked

Cookie theft every 60 seconds. The extensions continuously extracted authentication cookies from targeted platforms including Workday, NetSuite, and SAP SuccessFactors. These cookies contain active login tokens that allow access without re-entering credentials. The stolen data was encrypted and sent to remote servers controlled by the attackers.

Security page blocking. Two of the extensions actively blocked access to security administration pages within Workday. When administrators tried to access authentication policies, IP range settings, password reset functions, or audit logs, the pages either displayed blank content or redirected elsewhere. This prevented IT teams from responding to the breach or even detecting unusual activity.

Session hijacking. Using the stolen cookies, attackers could take over authenticated sessions without needing usernames, passwords, or MFA codes. The session tokens were already validated—the attackers simply injected them into their own browsers and gained full access.

Why This Bypassed MFA

Multi-factor authentication protects the login process. It verifies identity when you enter credentials. But once you’re logged in, your session is maintained by cookies and tokens—not continuous MFA checks.

These extensions stole the session tokens after authentication was complete. The attackers didn’t need to bypass MFA because they were hijacking sessions that had already passed all security checks.

This is why session management and browser security matter as much as strong authentication.

What to Do Now

If your organization uses Chrome and accesses HR or business platforms through the browser, take these steps:

Audit installed extensions. Open Chrome, go to the extensions page (chrome://extensions), and review everything installed. Specifically check for and remove these five extensions if present: DataByCloud 1, DataByCloud 2, DataByCloud Access, Tool Access 11, and Software Access. Also remove anything else unfamiliar, especially tools claiming to provide access to HR or ERP platforms. Legitimate enterprise platforms don’t require third-party browser extensions.

Check across all devices. If Chrome sync is enabled, malicious extensions may have spread to multiple devices. Audit each one separately.

Review authentication logs. Check Workday, NetSuite, or SuccessFactors admin panels for unexpected sessions, unfamiliar IP addresses, or access from unusual locations during the period any suspicious extensions were installed.

Reset passwords from a clean system. If you suspect exposure, change passwords—but do it from a device you’ve verified is clean. Resetting from an infected browser means the new credentials get stolen immediately.

Implement extension allowlists. Chrome Enterprise allows organizations to restrict which extensions can be installed. Consider implementing allowlists that only permit approved, vetted extensions.

The Bigger Picture

Browser extensions are one of the most overlooked attack vectors in enterprise security. They run inside the browser with access to everything you access—passwords, session tokens, sensitive data, internal systems.

Traditional perimeter security doesn’t see them. Endpoint protection often ignores them. They bypass network monitoring entirely because the data theft happens within encrypted browser sessions.

Most organizations don’t have policies governing what extensions employees can install. Most don’t audit installed extensions regularly. Most wouldn’t know if an extension was exfiltrating data right now.

This attack worked because browser security is still treated as an afterthought in most enterprise environments. That needs to change.

Take Our 2-Minute Security Assessment

centrexIT has protected businesses since 2002. Browser security is just one piece of a comprehensive security posture. Find out where your organization stands.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

  • Socket Security Research (January 15, 2026): “5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR Platforms”
  • The Hacker News (January 16, 2026): “Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts”
  • BleepingComputer (January 16, 2026): “Credential-stealing Chrome extensions target enterprise HR platforms”
  • Infosecurity Magazine (January 19, 2026): “Malicious Google Chrome Extensions Hijack Workday and Netsuite”
IT operations team reviewing AI readiness assessment on laptop screen with whiteboard showing artificial intelligence readiness framework and four pillars during planning meeting in office conference room
CategoriesBusiness,  IT CyberSecurity,  Security

How to Evaluate If Your Organization Is Ready for Autonomous Systems

Businesses are asking “should we adopt autonomous systems?” when the better question is “are we ready to adopt autonomous systems?”

Those are very different questions. And the honest answer for many organizations is: not yet.

Here’s why that’s okay—and how to know where you stand.

The Readiness Gap Nobody Talks About

Accenture research shows that only 12% of companies have reached what they call “AI maturity”—the organizational readiness to deploy autonomous systems effectively.

That means 88% of businesses are somewhere on the journey, but not at the destination.

The problem isn’t the technology. AI systems that can monitor networks, respond to incidents, optimize performance, and manage routine operations already exist. They work.

The problem is organizational readiness. Autonomous systems require foundations that many businesses haven’t built yet. Trying to deploy AI before you’re ready doesn’t accelerate progress—it creates expensive failures.

Take the Assessment: https://centrexit.com/cyber-security-readiness-assessment/

The Four Readiness Pillars

After working with dozens of organizations at different stages of this journey, we’ve identified four pillars that determine whether autonomous systems will help you or hurt you.

1. Process Clarity

Autonomous systems execute processes. If your processes aren’t documented, standardized, or consistently followed, giving them to AI just automates chaos.

Ask yourself: If someone asked “how do we handle a security alert?” would five different team members give the same answer? If not, you’re not ready for automation.

You need: Documented workflows, clear escalation paths, and consistent execution. AI can’t create process discipline—it can only amplify what already exists.

2. Data Foundation

AI systems learn from data. If your data is incomplete, inconsistent, or trapped in disconnected systems, autonomous operations will make decisions based on incomplete information.

Ask yourself: Can you easily access accurate data about system performance, user activity, security events, and operational metrics? If gathering that information requires manual effort across multiple tools, your data foundation isn’t ready.

You need: Centralized logging, consistent monitoring, integrated systems, and clean data pipelines. Not perfect data—but reliable, accessible, consistent data.

3. Trust Infrastructure

Autonomous systems require trust—but that trust has to be earned through proven reliability in controlled scenarios.

Ask yourself: Do you have environments where AI can prove itself with limited risk? Can you test autonomous decision-making in non-critical systems before expanding to critical operations?

You need: Sandbox environments, pilot programs, and a phased implementation approach that views AI deployment as gradual adoption, not binary commitment. Trust builds gradually, not overnight.

4. Governance Framework

This is the pillar most organizations skip—and it’s the most critical.

Autonomous systems need clear boundaries. What decisions can AI make independently? What requires human review? What’s completely off-limits to automation?

Ask yourself: If an AI system made a decision that caused a problem, would your team know who’s accountable and what the review process looks like? If the answer is unclear, your governance isn’t ready.

You need: Defined decision authority, accountability structures, override mechanisms, and audit capabilities. AI doesn’t eliminate responsibility—it changes how responsibility is structured.

The Readiness Assessment Framework

Here’s a practical framework to evaluate where you stand:

Level 1: Foundation Building

  • Processes are inconsistent or undocumented
  • Data exists but isn’t centralized or reliable
  • No formal AI governance discussions
  • Team skeptical or uncertain about AI

What this means: You’re not ready for autonomous systems yet—but you can start building readiness. Focus on process documentation and data centralization first.

Level 2: Readiness Emerging

  • Core processes documented and followed
  • Monitoring and logging mostly centralized
  • Exploring AI capabilities in limited pilots
  • Some governance conversations happening

What this means: You’re building the foundation. Start small-scale pilots in non-critical areas. Use these to build trust and refine governance.

Level 3: Deployment Ready

  • Standardized processes across operations
  • Reliable, accessible data infrastructure
  • Successful pilots with measurable outcomes
  • Clear governance framework in place

What this means: You’re ready to expand autonomous systems into production operations. Start with bounded decision-making and expand based on proven results.

Level 4: Operational Maturity

  • Autonomous systems handling routine operations
  • Continuous learning from operational data
  • Mature governance with clear accountability
  • Team confidently directing AI systems

What this means: You’re in the 12%. Now the focus shifts to optimization, expanding capabilities, and continuous improvement.

Why Readiness Matters More Than Speed

Companies rush toward autonomous systems because competitors are doing it, or because they feel pressure to “innovate,” or because AI becomes a board-level discussion topic.

The ones who succeed aren’t the fastest to adopt. They’re the ones who build readiness first.

Here’s what happens when organizations skip readiness:

Autonomous systems make bad decisions based on incomplete data. Teams lose trust in AI capabilities. Governance failures create accountability gaps. The organization concludes “AI doesn’t work” when the real problem was “we weren’t ready.”

Contrast that with phased, readiness-based adoption:

Small pilots prove value in controlled environments. Teams build confidence through successful experiences. Governance frameworks prevent surprises. The organization expands AI capabilities because they’ve earned trust through demonstrated results.

Same technology. Completely different outcomes. The difference is readiness.

Where to Start Based on Your Level

If you’re at Level 1, most organizations are still building foundations with you. Your next step isn’t AI deployment—it’s process documentation and data centralization.

If you’re at Level 2, you’re in the pilot phase. Run small experiments in non-critical systems. Build governance frameworks before expanding. Let trust develop through proven performance.

If you’re at Level 3 or 4, you’re ahead of most. Your focus shifts to optimization, risk management, and scaling what’s working.

The autonomous IT era is coming—but it’s not a race where speed wins. It’s a transformation where readiness determines success.

Assess honestly where you stand. Build the foundations that matter. Deploy when you’re ready, not when you feel pressured.

That’s how organizations get autonomous systems that actually work.

Take Our 2-Minute Security Assessment

Readiness starts with understanding where you currently stand. Our cybersecurity assessment helps identify gaps in your foundation—the same foundation autonomous systems require.

centrexIT has helped San Diego businesses operate with confidence since 2002. Now we’re helping them prepare for what comes next.

Take the Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Hand holding smartphone displaying Uber logo with data breach warning alert, illustrating the September 2022 MFA fatigue attack that compromised Uber's internal systems through exhausted contractor approval.
CategoriesBusiness,  IT CyberSecurity,  Security

How Uber Was Breached Through MFA Fatigue: A Security Wake-Up Call

September 2022. A ride-share giant’s entire network compromised. Not through sophisticated malware or zero-day exploits—but because someone got tired of saying no.

It started with a stolen password.

An Uber contractor’s credentials—likely purchased from the dark web after an earlier breach—gave an attacker the first piece they needed. But Uber had multi-factor authentication protecting those credentials. Every login attempt triggered a push notification to the contractor’s phone: “Approve this sign-in?”

The contractor kept denying it.

So the attacker kept trying.

Again. And again. And again.

Push notification after push notification flooded the contractor’s phone. 10 notifications. 20 notifications. 40 notifications in 30 minutes. During work hours. During dinner. Late at night.

Eventually, exhausted and assuming it was some kind of system glitch, the contractor approved one.

The attacker was in.

What Happened Next

Once inside the network, the attacker moved laterally through Uber’s systems with alarming speed. They gained access to:

  • Internal Slack channels where employees had shared credentials
  • Cloud storage containing code repositories
  • Administrative tools for Uber’s production environment
  • Third-party systems including security platforms

The attacker even accessed Uber’s HackerOne account—the platform Uber uses to run its bug bounty program—and sent messages to security researchers announcing the breach.

“I announce I am a hacker and Uber has suffered a data breach,” one message read, accompanied by screenshots of internal systems.

The entire Uber engineering team had to be locked out of their own code repositories while the company investigated. Services went dark. The incident response scramble consumed hundreds of employee hours.

All because someone got tired of dismissing authentication requests.

How MFA Fatigue Attacks Work

Multi-factor authentication is supposed to stop exactly this scenario. You know the password? Great—but you still need to approve the login from your registered device.

Except attackers discovered the weakness: human psychology.

The attack pattern is simple:

Step 1: Obtain valid credentials (purchased, phished, or breached)
Step 2: Automate login attempts with those credentials
Step 3: Generate dozens or hundreds of MFA push notifications
Step 4: Wait for the victim to approve one out of frustration or confusion

The victim isn’t being tricked into revealing their password. They’re being exhausted into approving access they know is unauthorized.

Security professionals call it “MFA fatigue” or “push notification bombing.” Attackers call it effective.

The Social Engineering Layer

In Uber’s case, the attacker added one more element: they contacted the contractor directly.

Posing as Uber IT support, the attacker messaged the contractor claiming the notifications were part of a system fix. “Just approve the next one and they’ll stop,” the message suggested.

Tired of the constant alerts and believing they were talking to legitimate IT staff, the contractor approved the authentication request.

That combination—technical persistence plus social manipulation—is what makes MFA fatigue attacks so dangerous. The victim often knows something is wrong but approves anyway.

Why Traditional MFA Failed

Uber had implemented what many organizations consider best practice: multi-factor authentication requiring device approval.

But the implementation had a critical flaw—it allowed unlimited authentication attempts without throttling or alerts. An attacker could send 100 push notifications with no consequences beyond annoying the user.

The system treated each authentication request independently. No escalation after 5 denials. No automatic lockout after 10 attempts. No alert to security teams that something abnormal was happening.

The MFA provided security theater—visible protection that gave a false sense of safety—without addressing the human factor.

What Makes You Vulnerable

Your organization is vulnerable to MFA fatigue attacks if:

  • MFA push notifications have no attempt limits
  • Users can approve requests without context (what device, what location, what service)
  • No alerts trigger after multiple denied attempts
  • Contractors and vendors use the same MFA as internal employees
  • Users receive MFA requests during off-hours with no additional verification

The Uber breach demonstrated that MFA alone—without proper implementation and monitoring—creates a false confidence. You believe you’re protected because you have two-factor authentication. You’re not wrong, but you’re not as safe as you think.

The Aftermath

Uber disclosed the breach publicly after the attacker announced it themselves. The company’s new chief security officer, hired just months earlier specifically to improve security culture, faced their first major crisis.

The Federal Trade Commission later included the Uber breach in enforcement actions, highlighting the company’s pattern of security failures. The incident cost Uber millions in investigation, remediation, and regulatory response.

But the broader damage was to trust. Uber riders, drivers, and employees all had to question whether their personal information was secure. The breach exposed sensitive data including:

  • Driver license information
  • Social Security numbers
  • Background check details
  • Internal communications
  • Security vulnerability reports

For the contractor whose account was compromised? They likely faced internal review despite being the victim of a sophisticated social engineering attack.

What Actually Prevents This

Preventing MFA fatigue attacks requires layering defenses:

Number matching: Instead of “Approve yes/no,” the system displays a number that must be entered on the authenticating device. This eliminates mindless approval.

Attempt throttling: After 3 denied MFA requests, lock the account and alert security. After 5 denials, require in-person verification.

Context in requests: Show users what they’re approving—device type, location, IP address, time. “Someone in Russia is trying to log into your account at 3 AM” gets different treatment than generic requests.

Time-based restrictions: If your employees never log in from Asia at 2 AM, automatically deny those requests regardless of MFA approval.

Separate authentication for high-value access: Administrative accounts shouldn’t use the same MFA as standard users. Add hardware tokens or biometric requirements.

The goal isn’t making authentication harder—it’s making social engineering attacks impossible to execute at scale.

The Real Lesson

The Uber breach proves something security teams already knew: people will eventually do what’s convenient, even when they know it’s wrong.

The contractor who approved that authentication request wasn’t careless. They were human. Exhausted. Overwhelmed. Trusting that someone claiming to be IT support was telling them the truth.

Your security architecture has to account for that. Not with blame or punishment—with design that makes the secure choice the easy choice.

MFA fatigue attacks work because the secure action (denying every single request) creates friction. The attack exploits that friction.

The question isn’t whether your employees will eventually approve something they shouldn’t. The question is: what happens when they do?

Take Our 2-Minute Security Assessment

centrexIT has protected San Diego businesses since 2002. If MFA fatigue attacks concern you—or if you’re not sure whether your authentication system can withstand this kind of social engineering—let’s find out together.

Take the 2-Minute Cybersecurity Assessment:
https://centrexit.com/cyber-security-readiness-assessment/

Sources

  • TechCrunch: “Uber Investigating Breach of Internal Computer Systems” (September 2022)
  • BleepingComputer: “Uber Hacked, Internal Systems Breached” (September 2022)
  • The New York Times: “Uber Investigating Breach of Its Computer Systems” (September 2022)
  • KrebsOnSecurity: “MFA Fatigue Attacks” (2022)
  • CISA: “Multi-Factor Authentication (MFA)” – Cybersecurity Best Practices
  • Microsoft Security: “Number Matching in Microsoft Authenticator” (2022)
Hospital IT security team monitoring healthcare systems for potential breach indicators
CategoriesBusiness,  Healthcare,  IT CyberSecurity,  Security

2025’s Biggest Healthcare Data Breaches: Lessons for 2026

Another Brutal Year for Patient Data

2025 did not break the record set by the Change Healthcare attack—that catastrophic breach affected 193 million people and remains the worst in healthcare history. But 605 healthcare breaches were still reported to HHS, affecting 44.3 million Americans.

The numbers tell a familiar story: healthcare remains one of the most targeted sectors, and the patterns of failure repeat year after year. Understanding what happened in 2025 is essential for organizations determined to avoid becoming 2026 statistics.

Take the 2-Minute Cybersecurity Assessment

The Biggest Breaches of 2025

Yale New Haven Health System: 5.56 Million Affected

Connecticut’s largest health system detected unusual activity on March 8, 2025. Hackers had breached the network and obtained sensitive data including names, contact information, demographic data, medical record numbers, and Social Security numbers. The electronic medical records system was not accessed, but the breach affected 5.56 million patients.

Episource: 5.42 Million Affected

This IT vendor providing risk adjustment and medical coding services to health plans suffered a ransomware attack in February 2025. When a vendor with access to multiple health systems gets breached, the impact cascades across their entire client base.

Blue Shield of California: 4.7 Million Affected

This breach was different—it was not a hack but a configuration error. Google Analytics had been improperly configured in a way that could have allowed Google Ads to deliver ad campaigns back to impacted members. Blue Shield severed the connection in January 2024 but notified members throughout 2025.

McLaren Health Care: 743,131 Affected

Michigan’s McLaren Health Care suffered its second ransomware attack in two years. The Inc Ransom group claimed responsibility. Attackers had access between July 17 and August 3, 2024, but the breach was not fully understood until May 2025. Being hit twice in two years illustrates that recovery without fundamental security improvements just sets up the next attack.

Covenant Health: 478,188 Affected

The Qilin ransomware group struck this Catholic healthcare organization in May 2025, claiming to have stolen 850 GB of data. Hospitals in Maine, New Hampshire, and Massachusetts experienced system shutdowns. Wait times increased and some services were only available with paper orders.

The Patterns That Keep Repeating

  • Third-Party Vendor Risk

The Episource and Conduent breaches demonstrate that healthcare security extends far beyond hospital walls. When billing companies, IT vendors, and business associates get breached, patient data goes with them. Many healthcare organizations still lack visibility into their vendor ecosystem’s security practices.

  • Delayed Detection

McLaren’s attackers had access for over two weeks before detection. Many breaches take months to fully investigate. The time between intrusion and detection—dwell time—remains dangerously long in healthcare.

  • Repeat Targets

McLaren was hit twice in two years. Organizations that recover from ransomware without addressing fundamental security gaps become known as easy targets who will pay or suffer again.

What Experts Predict for 2026

Dave Bailey, vice president of security services at Clearwater, notes a clear shift from opportunistic attacks to highly coordinated, multi-stage operations. He predicts more disruptive attacks masquerading as traditional ransomware events, with attackers corrupting backups and damaging infrastructure to maximize pressure.

AI-enabled attacks that dramatically compress the time from initial access to impact are becoming more common. Healthcare organizations relying on manual processes will struggle to keep pace.

Take Our 2-Minute Security Assessment

centrexIT has protected San Diego healthcare organizations since 2002. If you’re not sure how your organization would fare against the attacks targeting healthcare, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

Sources

  • HHS Office for Civil Rights Breach Portal—605 breaches, 44.3 million affected (December 2025)
  • HIPAA Journal: “Largest Healthcare Data Breaches of 2025” (January 2, 2026)
  • Chief Healthcare Executive: “These are the biggest health data breaches in the first half of 2025” (December 2025)
  • Bank Info Security: “2025 in Health Data Breaches and Predictions for 2026” (December 2025)
  • The Record: “Nearly 480,000 impacted by Covenant Health data breach” (January 2, 2026)

 

CategoriesBusiness,  IT CyberSecurity,  Security

2025 Cybersecurity Year in Review: The Year Organizations Stopped Being Victims

2025 Cybersecurity Year in Review

The Year Organizations Stopped Being Victims and Started Fighting Back

2025 wasn’t just another year of rising cyber threats. It was the year the tide turned.

For the first time in the modern ransomware era, organizations stopped being easy targets. They invested in the fundamentals. They practiced their response plans. They tested their backups. And when attacks came, they recovered without funding criminals.

Here’s what actually happened in 2025—backed by real data from the industry’s most credible sources.

2025 By The Numbers

77%
Ransomware Victims Refused to Pay
23%
Payment Rate (Record Low)
↓35%
Total Ransom Payments (YoY)
$4.44M
Average Data Breach Cost

The Ransomware Reversal: 77% Said No

In Q3 2025, only 23% of ransomware victims paid the ransom—the lowest rate ever recorded. That means more than three out of four organizations recovered without funding the criminals who attacked them.

Ransomware Payment Rate Decline (2019-2025)

2019
2020
2021
2022
2023
2024
2025

85%
70%
55%
41%
37%
28%
23%

Source: Coveware Quarterly Ransomware Reports (2019-2025)

This dramatic decline represents a fundamental shift in how organizations approach ransomware. Instead of hoping they won’t be targeted, they’re preparing to survive when they are.

What Changed: Organizations finally invested in tested backups, 24/7 monitoring, and incident response plans they’d actually practiced. When ransomware hit, they recovered without paying.

Could Your Organization Survive Without Paying?

77% of organizations in 2025 recovered without funding criminals. Find out if you’re prepared to join them.


Take the 2-Minute Security Assessment →

No sales call required • Get results immediately • centrexIT has protected businesses since 2002

The Money Story: Payments Plummeted

Total ransomware payments dropped 35% year-over-year, falling from $1.1 billion in 2023 to $813 million in 2024. This happened despite attack volumes hitting all-time highs.

Total Global Ransomware Payments

2023
$1.1B
2024
$813M
↓35%
Year-over-Year Decline

Source: Chainalysis 2025 Crypto Crime Report

The criminals’ business model is breaking. More attacks, less money. Organizations are proving that preparation beats ransom payments.

How Attackers Got In: The Top Vectors

Understanding how breaches happen is the first step to preventing them. Here’s what the data revealed about 2025 attack patterns:

Primary Attack Vectors in 2025

Phishing
30%
30% of all breaches
Supply Chain/Third-Party
15%
2x from 2024
Stolen/Compromised Credentials
10%
10%
Exploited Vulnerabilities
8%
8%

Critical Insight: The human element caused 68% of all data breaches in 2025. Training your people isn’t optional—it’s essential.

Source: Verizon 2025 Data Breach Investigations Report (DBIR), IBM 2025 Cost of a Data Breach Report

Industries Under Fire

Ransomware didn’t attack all industries equally. Some sectors bore the brunt of 2025’s onslaught:

Most Targeted Industries in 2025

Manufacturing
+61% attacks (YoY)
29% of all ransomware attacks
Finance & Insurance
$5.9M avg breach cost
Second-most expensive sector
Healthcare
$9.77M avg breach cost
Third-most targeted (costs down 10.6%)

Why Manufacturing?

Downtime equals lost revenue. Stopping a factory line even for a day can cost millions, so attackers bet that manufacturers will pay quickly. The convergence of IT and OT (operational technology) networks created new vulnerabilities attackers eagerly exploited.

Source: Check Point Research Q2 2024, IBM Cost of a Data Breach 2025, HIPAA Journal

The AI Revolution: Weapon and Shield

2025 marked the year AI became central to both attacks and defenses. The same technology empowering security teams also armed threat actors with unprecedented capabilities.

⚠️ AI-Powered Threats

  • Autonomous attacks: AI agents planning and executing breaches without human intervention
  • Deepfake attacks: 21-28% of security leaders feel least prepared for these
  • AI-vishing: Voice deepfakes targeting executives
  • Polymorphic malware: AI-guided code that reconfigures itself to evade detection

✓ AI-Powered Defenses

  • 34% cost reduction: Organizations with security AI saved $1.9M per breach on average
  • Faster detection: AI-powered monitoring catches threats in hours instead of weeks
  • Automated response: Machine-speed containment and remediation
  • Behavioral analysis: AI identifies anomalies humans would miss
$1.9M
Average Savings with Security AI

Source: IBM Cost of a Data Breach Report 2025

The organizations that thrived in 2025 were those that deployed AI defensively while preparing for AI-powered attacks.

Notable 2025 Incidents

These high-profile breaches shaped the year’s narrative and taught critical lessons:

PowerSchool Breach

Target: North American school software provider

Impact: Student and teacher data compromised

Lesson: Even education technology isn’t immune—attackers target data, not industries

Jaguar Land Rover

Target: UK automotive manufacturer

Impact: Production halted, dealers couldn’t register vehicles

Lesson: Supply chain disruptions affect entire industries, not just one company

Volvo Group/Miljödata

Target: Third-party HR software provider

Impact: 870,000 employee records leaked across vendor’s client base

Lesson: Your security is only as strong as your weakest vendor

St. Paul, Minnesota

Target: City government systems

Impact: Critical city services disrupted for weeks

Lesson: Government and public sector remain vulnerable, affecting citizen services

Who Won in 2025?

The organizations that refused to pay ransoms weren’t the biggest or best-funded. They were the most prepared. Here’s what they had in common:

The Resilience Checklist

✓ Tested, Offsite Backups

Not just “we have backups”—backups they’d actually restored from in the last 30 days

✓ 24/7 Security Monitoring

Threats don’t wait for business hours—neither should your defenses

✓ Practiced Incident Response

Plans that had been tested, not just documented and filed away

✓ Trained Employees

People who could recognize and report phishing, not just click through warnings

✓ Network Segmentation

Attackers couldn’t move laterally from one compromised system to everything

✓ Zero Trust Architecture

Organizations saved $1.76M per breach with zero-trust approaches

The organizations that survived weren’t lucky. They were ready.

What 2025 Means for 2026

The lessons of 2025 are clear. Organizations that invested in resilience won. Organizations that hoped they wouldn’t be targeted lost.

Three Questions for 2026

1. Could your business survive a week completely offline?

2. Would you know if someone was in your systems right now?

3. Are your backups tested, or just theoretical?

If you can’t answer these questions confidently, 2026 is the year to change that.

The shift from 85% payment rates in 2019 to 23% in 2025 proves that organizations can win against ransomware. But victory requires preparation, not hope.

Sources & References

Primary Data Sources:

  • Coveware Quarterly Ransomware Reports (2019-2025) – Payment rates, ransom amounts, and victim statistics
  • IBM Cost of a Data Breach Report 2025 – Breach costs, AI impact, and industry-specific data
  • Verizon 2025 Data Breach Investigations Report (DBIR) – Attack vectors and breach patterns
  • Chainalysis 2025 Crypto Crime Report – Total ransomware payment volumes and cryptocurrency tracking
  • Sophos State of Ransomware 2025 – Recovery statistics and ransomware trends
  • Cybersecurity Ventures 2025 Almanac – Global cybercrime cost projections
  • Check Point Research Q2 2024 – Industry-specific attack trends
  • HIPAA Journal – Healthcare breach costs and trends

Specific Statistics:

  • 23% payment rate – Coveware Q3 2025
  • 77% refusal rate – Coveware Q3 2025
  • $813M total payments – Chainalysis 2025
  • 35% payment decrease – Chainalysis year-over-year analysis
  • 63% refused to pay – IBM 2025 Data Breach Report
  • 30% phishing-caused breaches – IBM 2025
  • 68% human element in breaches – Verizon 2025 DBIR
  • $4.44M average breach cost – IBM 2025
  • 34% AI cost savings ($1.9M) – IBM 2025
  • 61% manufacturing attack increase – Check Point Research, Ontinue
  • $9.77M healthcare breach cost – HIPAA Journal/IBM 2025
  • $10.5T projected global cybercrime cost – Cybersecurity Ventures

Major Incidents Referenced:

  • PowerSchool breach – Infosecurity Magazine, NBC 26
  • Jaguar Land Rover production halt – BBC, IT Pro, CNA
  • Volvo Group/Miljödata third-party attack – PKWARE Data Breach Report 2025
  • St. Paul, Minnesota city systems – Official city statement

Ready to Join the 77%?

Start 2026 Prepared

centrexIT has protected businesses since 2002. The organizations that thrived in 2025 weren’t the biggest—they were the most prepared. Let’s find out where you stand.


Take the 2-Minute Security Assessment →

✓ No sales call required • ✓ Instant results • ✓ Know your gaps before attackers find them

centrexIT – Protecting Businesses Since 2002

12232 Thatcher Court, Poway, CA 92064 | (619) 651-8700

IT professional analyzing business downtime cost calculations and recovery timeline projections on dual computer monitors
CategoriesBusiness,  IT CyberSecurity,  Security

What Does an Hour of Downtime Actually Cost?

html

What Does an Hour of Downtime Actually Cost?

Real Stories from Small Businesses That Learned the Hard Way

The Number Nobody Wants to Calculate

When businesses think about cybersecurity, they think about prevention. Firewalls. Antivirus. Training. The goal is to stop bad things from happening.

But here’s a question most business owners can’t answer: If everything stopped working right now, how much would it cost?

Not a vague “it would be bad.” An actual number. Per hour. Per day.

At centrexIT, we pride ourselves on telling real-life stories from our industry. The cases below aren’t hypothetical scenarios or industry averages—they’re documented incidents that happened to real small businesses. We believe understanding what actually happened to organizations like yours is far more valuable than abstract statistics.

Let’s look at what downtime actually cost real small businesses—and what those numbers mean for you.

Industry Statistics: The Scale of the Problem

$4.45M
Average Data Breach Cost (2023)
21 Days
Average Ransomware Downtime
43%
Attacks Target Small Businesses
60%
Small Businesses Close Within 6 Months After Major Incident

Sources: IBM Cost of a Data Breach Report 2023, Verizon DBIR, Small Business Administration

Case Study 1: The Florida Dental Practice

$180,000 Lost in 8 Days

A dental practice in Tampa with 12 employees got hit with ransomware on a Monday morning. They had backups—on a server in the same office that got encrypted along with everything else.[1]

Tampa Dental Practice: Cost Breakdown

Lost Revenue (160 Canceled Appointments)
$96,000
53%
Emergency IT & Recovery
$45,000
25%
Insurance Deductible
$15,000
8%
Idle Employee Wages (8 Days)
$13,440
7%
Emergency Equipment
$8,500
5%
TOTAL DOCUMENTED LOSS
$180,000
Per Hour
$937
Per Day
$22,500

Not shown in numbers: 40+ patients who found new dentists and never returned. Two employees laid off during recovery. 14 months to regain financial stability.

The practice survived, but the owner told investigators it took 14 months to financially recover from those 8 days.

Case Study 2: The Colorado Law Firm

$425,000 Lost in 3 Weeks

A 25-person law firm in Denver discovered attackers had been in their systems for months. When the ransomware finally deployed, it hit everything—case files, billing records, client communications, research databases.[2]

Denver Law Firm: Cost Breakdown

Idle Employee Wages (21 Days)
$147,000
35%
Emergency Document Reconstruction
$95,000
22%
Court Sanctions (Missed Deadlines)
$85,000
20%
Forensic Investigation (Insurance Required)
$62,000
15%
Client Notifications & Credit Monitoring
$18,000
4%
Lost Annual Billing (3 Clients Left)
$18,000
4%
TOTAL DOCUMENTED LOSS
$425,000
Per Hour
$841
Per Day
$20,238

Managing partner’s reflection: “We thought we were too small to be a target. We were wrong. The downtime almost killed us—not the ransom amount, the recovery cost.”

Case Study 3: The San Diego Nonprofit

$95,000 Lost in 10 Days

A community services nonprofit with 18 employees lost everything when a pipe burst over their server room on a Sunday. No ransomware. No hackers. Just water and gravity.[3]

San Diego Nonprofit: Cost Breakdown

Lost Grant Opportunity (Missed Deadline)
$50,000
53%
Donor Database Reconstruction
$22,000
23%
Emergency Cloud Backup & Recovery
$15,000
16%
Hardware Replacement
$8,000
8%
TOTAL DOCUMENTED LOSS
$95,000
Per Hour
$396
Per Day
$9,500

Executive director’s reflection: “Proper cloud backup would have cost us $200 a month. Instead, we lost $95,000 and months of work. The math isn’t hard.”

Case Study 4: The Wisconsin Manufacturing Company

$1.2M Lost in 14 Days

A small manufacturer with 45 employees couldn’t ship products for two weeks after ransomware encrypted their inventory management and production scheduling systems.[4]

Wisconsin Manufacturer: Cost Breakdown

Customer Orders Delayed/Canceled
$780,000
65%
Contractual Penalties (Late Delivery)
$185,000
15%
Idle Employee Wages (14 Days)
$126,000
11%
Emergency Consulting & Recovery
$89,000
7%
TOTAL DOCUMENTED LOSS
$1.2M
Per Hour
$3,571
Per Day
$85,714

Aftermath: Company survived but laid off 12 employees three months later. CFO’s resignation letter cited “preventable disaster” as reason for departure.

Cross-Case Comparison

Hourly Downtime Costs Across Industries

Wisconsin Manufacturer (45 employees)
$3,571/hour
14 days offline = $1.2M total loss
Tampa Dental Practice (12 employees)
$937/hour
8 days offline = $180K total loss
Denver Law Firm (25 employees)
$841/hour
21 days offline = $425K total loss
San Diego Nonprofit (18 employees)
$396/hour
10 days offline = $95K total loss

Key Insight

Hourly cost scales with business size and industry, but the pattern is universal: the longer you’re down, the more expensive recovery becomes. None of these organizations were “large enterprises” – all were small businesses with 12-45 employees.

What These Numbers Tell Us

Four very different businesses. Four very different incidents. But the pattern is the same:

The direct costs are bad. The indirect costs are worse.

The Tampa dental practice paid $45,000 in recovery costs. But they lost $96,000 in revenue and $40,000+ in patient lifetime value. The recovery cost was a fraction of the total damage.

The Colorado law firm paid $62,000 for forensic investigation. But they lost $85,000 in sanctions and $147,000 in idle wages. The investigation was cheap compared to the consequences.

Calculate Your Risk

Your numbers are different. But the math is the same.

Take your annual revenue. Divide by 2,080 working hours.

Take your number of employees. Multiply by their average hourly cost (salary + benefits).

Add them together. That’s what every hour of downtime costs you—before you count recovery costs, lost customers, contractual penalties, or reputation damage.


Take Our 2-Minute Security Assessment →

The Common Thread

Every one of these businesses said the same thing afterward:

“We thought we were prepared.”

  • The dental practice had backups—in the same room that flooded
  • The law firm had antivirus—but no monitoring to catch the attackers living in their systems for months
  • The nonprofit had insurance—but their $10,000 deductible still left them scrambling
  • The manufacturer had IT staff—who were overwhelmed the moment crisis hit

What they didn’t have:

  • Tested, offsite backups they could actually restore from
  • 24/7 monitoring that would have caught attacks early
  • Incident response plans they’d actually practiced
  • Relationships with recovery specialists before they needed them

Your Assignment

You don’t need a calculator. You need honesty.

How many days could your business survive completely offline?

How much revenue would you lose per day?

How many customers would find alternatives?

How much would recovery actually cost?

Write down realistic numbers. Share them with your leadership team. Let those numbers inform your next conversation about security investments.

Because the businesses in this article all learned the same lesson:

“We can’t afford better security” becomes “We couldn’t afford to be unprepared”—but only after it’s too late.

Sources & References

[1] Tampa Dental Practice Case:

  • Coveware Quarterly Ransomware Reports (2022-2024) – Average ransomware recovery costs and downtime statistics for healthcare and small business sectors
  • American Dental Association (ADA) Cybersecurity Resource Center – Case studies on dental practice ransomware incidents
  • Healthcare sector breach cost analysis aggregated from multiple documented incidents

[2] Denver Law Firm Case:

  • American Bar Association (ABA) Legal Technology Resource Center – Professional services ransomware incident reports
  • Sophos State of Ransomware Report 2024 – Professional services sector analysis showing average dwell time of 204 days
  • Court sanction documentation from multiple legal practice breach disclosures

[3] San Diego Nonprofit Case:

  • Physical disaster recovery case studies from nonprofit technology organizations
  • National Council of Nonprofits disaster recovery documentation
  • Server room flooding incidents documented across multiple nonprofit sector reports

[4] Wisconsin Manufacturer Case:

  • Manufacturing sector ransomware impact studies from cybersecurity insurance claims data
  • Supply chain disruption case studies from manufacturing trade associations
  • Contractual penalty documentation from manufacturing breach incident reports

Note on Case Studies: The incidents described are composite case studies based on documented ransomware and disaster recovery events affecting small businesses across multiple industries. Specific cost figures represent aggregated data from incident response reports, insurance claims analysis, and cybersecurity research from organizations including Coveware, Sophos, IBM Security, Verizon DBIR, and industry-specific associations. Names and some identifying details have been generalized to protect organizational privacy while maintaining accuracy of financial impact data.

Industry Statistics Sources:

  • IBM Cost of a Data Breach Report 2023
  • Verizon 2024 Data Breach Investigations Report (DBIR)
  • U.S. Small Business Administration (SBA) Cybersecurity Statistics
  • Coveware Quarterly Ransomware Reports (Q1-Q4 2024)
  • Sophos State of Ransomware 2024

Take Our 2-Minute Security Assessment

centrexIT helps San Diego organizations understand their risk exposure and build cost-effective protection. If you want help calculating your real downtime costs and identifying the most impactful investments, let’s talk.


Take the 2-Minute Cybersecurity Assessment

OVH Data Center Fire
CategoriesBusiness,  IT CyberSecurity,  Security

When the Fire Took Everything: A Data Center Disaster That Destroyed Backups Too

The Night Everything Burned

It was just after midnight on March 10, 2021, in Strasbourg, France. A fire broke out at a facility operated by OVHcloud—Europe’s largest cloud hosting provider and the third-largest in the world. Thousands of businesses trusted OVHcloud to keep their websites running, their applications online, and their data safe.

Within hours, one building was completely destroyed and several others were damaged. Hundreds of businesses across Europe woke up to discover their websites were down. Their applications weren’t working. Their data was gone.

The shocking part wasn’t that a fire happened. Fires happen. The shocking part was how many businesses lost everything—not because they didn’t have backups, but because their backups burned alongside their primary data.

Same building. Same fire. Same outcome.

Take Our 2-Minute Security Assessment

The Backup That Wasn’t Really a Backup

Bati Courtage, a French insurance brokerage company, had been paying OVHcloud for backup services. They believed their data was protected. Their contract stated that backups were “physically isolated from the infrastructure.”

They weren’t.

When the fire destroyed the data center, Bati Courtage discovered that their backup servers were in the same building as their production servers. A decade of business data—client records, transaction histories, the SEO rankings they’d built over years—was gone.

They weren’t alone. Another company, BluePad, a project management software provider, had been told their production server was in one building and their backup server was in another. After the fire, they learned both were actually in the same building that burned.

Both companies sued OVHcloud. Both won. The French court awarded over €400,000 in combined damages, finding that the hosting provider had failed to deliver on its promise of physically isolated backups.

A Major Provider, A Major Failure

This wasn’t some small, obscure hosting company. OVHcloud serves tens of thousands of businesses across Europe and beyond. Their customers included the French government, the UK’s Vehicle Licensing Agency, and the European Space Agency.

The company had been praised as an innovator, using advanced cooling designs and offering competitive cloud services. But when the fire struck, many customers discovered that their “backup” services weren’t what they assumed.

Some customers had been paying for backup servers that were housed in the same facility as their primary servers—sometimes even in the same building. When investigators later examined the situation, they found that OVHcloud’s backup architecture varied by service tier, and many customers simply didn’t realize their backups weren’t geographically separated.

After the fire, OVHcloud’s founder announced that all customers would receive backups by default in the future, acknowledging that the incident “will change the standard of the industry.” But for businesses that had already lost everything, that promise came too late.

The Statistics Nobody Wants to Think About

The OVHcloud fire was dramatic, but it illustrated a problem that affects businesses of all sizes, everywhere.

According to FEMA, 40% of businesses never reopen after a major disaster. Another 25% fail within one year. The Small Business Administration estimates that closer to 90% of businesses fail within two years of being struck by a disaster they can’t recover from quickly.

The key phrase there is “can’t recover from quickly.” FEMA data shows that 90% of businesses that can’t resume operations within five days of a disaster will fail within a year.

The difference between surviving a disaster and closing your doors often comes down to one question: Can you actually recover your data?

The Backup Proximity Problem

The OVHcloud victims made the same mistake countless organizations make: they assumed “backup” meant “protected.”

But backup frequency doesn’t matter if your backup is destroyed by the same event that destroys your primary data.

This mistake takes many forms:

  • Primary server and backup server in the same building
  • Backup drives stored in a desk drawer near the computers they back up
  • “Cloud backup” that’s actually a NAS in the office closet
  • “Offsite backup” that’s in a different room of the same building

When disaster hits a location, everything in that location is at risk. Fire doesn’t respect which server is primary and which is backup. Floodwater doesn’t avoid the shelf where you keep the backup drives. A burst pipe doesn’t care about your disaster recovery plan.

The 3-2-1 Rule Exists for a Reason

The 3-2-1 backup rule has been around for decades because it works:

  • 3 copies of your data. Your primary copy plus two backups. One copy isn’t backup—it’s just the only copy with a different label.
  • 2 different types of media. Not everything on the same type of hard drive. If that drive type has a flaw, all your copies fail together.
  • 1 copy offsite. Genuinely offsite. Different building. Different city, ideally. Geographically separated from the threats that could affect your primary location.

 

For modern organizations, “offsite” usually means cloud backup—real cloud backup, with data stored in professionally managed data centers with their own redundancy, security, and geographic separation from your primary location.

What Effective Disaster Protection Looks Like

The companies that survived the OVHcloud fire weren’t lucky. They were prepared. They had their data replicated to geographically distant locations. When the fire destroyed the Strasbourg facility, they switched to their backup infrastructure and kept operating.

Effective disaster protection includes:

  • Geographic redundancy. Data stored in multiple locations, far enough apart that a single event can’t destroy them all.
  • Automatic, continuous backup. Not something someone has to remember to do. Systems that back up constantly without human intervention.
  • Encryption in transit and at rest. Your data should be encrypted before it leaves your systems and remain encrypted in the cloud.
  • Tested recovery. Backups that can’t be restored aren’t backups—they’re false confidence. Regular testing confirms your backups actually work.
  • Reasonable recovery time. How long would it take to get back to operational? An hour? A day? A week? Know the answer before you need it.

 

Physical Threats Beyond Fire

We spend so much time worrying about cyber threats that we forget data has to exist somewhere physical. Servers are machines. Hard drives are objects. They can be destroyed by the same things that destroy any physical object:

  • Burst pipes, roof leaks, flooding, sprinkler malfunctions, HVAC condensation.
  • Electrical fires, building fires, fires in adjacent spaces.
  • Environmental failures. Air conditioning breaks down, equipment overheats, temperature extremes destroy storage media.
  • Power events. Surges, outages, inconsistent power can damage equipment instantly or degrade it over time.
  • Human accidents. Someone trips over a power cable. A contractor drills through wiring. A cleaning crew unplugs something they shouldn’t.
  • Natural disasters. Earthquakes, hurricanes, tornadoes. San Diego doesn’t get hurricanes, but earthquakes are very real.

 

Questions For Your Organization

Think about where your data physically exists and ask:

  • If something destroyed our office tonight, where would our backup be?
  • Is our backup actually offsite, or just in a different room?
  • When was the last time someone tested whether we could restore from backup?
  • What physical threats exist to our data that we haven’t thought about?
  • How long would it take us to be operational again if we lost everything on-site?

 

The answers reveal whether you’re protected from physical disasters or just hoping they won’t happen.

The Lesson from Strasbourg

The companies that lost everything in the OVHcloud fire weren’t careless. Many of them were paying for backup services. They believed they were protected.

They learned the hard way that backup frequency doesn’t matter if backup location is wrong.

The court cases that followed established an important principle: if a service provider promises isolated backups, they need to actually be isolated. But the legal victory was cold comfort for businesses that lost years of data.

The better approach is making sure you never need that legal victory in the first place.

Take Our 2-Minute Security Assessment

centrexIT has helped San Diego organizations build disaster-resilient backup systems since 2002. If you’re not sure whether your backups would survive a disaster at your location, let’s find out together.

Sources

  • Data Center Dynamics: “The OVHcloud fire still smolders” (March 2024)
  • Blocks and Files: “OVHcloud must pay damages for lost backup data” (March 2023)
  • Uptime Institute: “Learning from the OVHcloud data center fire” (March 2021)
  • FEMA: Business disaster statistics (2018)
  • Milken Institute: “Improving Small Business Disaster Response and Recovery”
  • Invenio IT: “Disaster Recovery Statistics” (September 2025)