The Call Sounded Legitimate. It Wasn’t.

Someone called CarGurus’ IT helpdesk and said they were an employee who needed help accessing their account. They knew enough to sound convincing — the right terminology, the right context, the right urgency. The helpdesk did what helpdesks do: they helped.

On February 13, 2026, that phone call gave attackers access to CarGurus’ systems. By February 21, the notorious extortion group ShinyHunters had published a 6.1 gigabyte archive of stolen data on their dark web leak site. Have I Been Pwned confirmed the breach contained more than 12.5 million records — names, email addresses, phone numbers, physical addresses, IP addresses, finance pre-qualification application data, and dealer account information.

CarGurus confirmed the incident in a statement to TechCrunch: the company “experienced a cybersecurity incident,” secured the affected environment, and engaged a forensic firm to investigate. They noted the activity appeared contained and limited in scope — but the data was already public.

CarGurus is not an isolated incident. It is the latest in a pattern.

The ShinyHunters Playbook: How a Phone Call Bypasses Your Technical Controls

ShinyHunters is a prolific extortion group that has refined a remarkably straightforward attack model. They don’t need to find a software vulnerability. They don’t need to deploy malware. They call your helpdesk and ask for access.

The technique is known as vishing — voice phishing. In ShinyHunters’ version, attackers call IT helpdesks or SSO support lines and impersonate employees who need their single sign-on credentials reset. When the helpdesk resets or bypasses authentication, the attackers obtain a valid access code for Okta, Microsoft, or Google SSO — which then opens the door to connected systems, data, and files.

The same technique was used in a string of high-profile breaches in early 2026. According to reporting by The Register and SecurityWeek, the ShinyHunters-affiliated campaign in this period also compromised Betterment, Panera Bread, Match Group (including the dating platforms Hinge, Match.com, and OkCupid), CarMax, Edmunds, investment advisory firms Mercer Advisors and Beacon Pointe Advisors, and fintech lending platform Figure Technology Solutions.

Different companies. Different industries. Same phone call.

Curious About Where You Stand?  Take the 2-Minute Cybersecurity Assessment

Why This Attack Works — and Why Technical Controls Don’t Stop It

The uncomfortable truth about vishing attacks is that they succeed precisely because your technical controls are working. Multi-factor authentication, SSO platforms, and identity verification systems are doing exactly what they’re designed to do — they’re protecting access behind a human verification step. And then an attacker convinces that human to open the door.

According to the Verizon 2025 Data Breach Investigations Report, the human element was involved in 60% of all breaches analyzed — whether through errors, social engineering, or manipulation. That number has remained stubbornly consistent across years of increasingly sophisticated technical defenses. Technology has not closed the human gap. It has, in some ways, made the human gap more valuable to attackers.

When every digital access point requires a human to verify identity, compromising that human becomes the most efficient path into the system. ShinyHunters has built a business model around exactly that insight.

The specific vulnerability in these attacks is often the culture of helpfulness that makes IT teams effective. Helpdesks exist to solve problems for employees. They are trained to be responsive. They work under pressure to resolve issues quickly. When someone calls with a plausible story and the right information — an employee name, a department, a manager’s name, details found in a LinkedIn profile or previous breach — the instinct to help can override the instinct to verify.

What These Breaches Have in Common

Looking across the companies hit by the ShinyHunters campaign, a few patterns emerge.

First, all of them used SSO platforms — Okta, Microsoft, or Google — as their primary authentication layer. SSO is a security improvement over independent credentials for every application. But it also means a single compromised access point can open multiple connected systems simultaneously. The more valuable your SSO access is, the more valuable it is to an attacker who can social engineer their way to it.

Second, none of the breaches involved a technical exploit in the traditional sense. No zero-day vulnerability. No malware. No sophisticated intrusion chain. A person on a phone convinced another person to provide access. The investment required to launch this attack is minimal. The potential return is enormous.

Third, the organizations targeted span every industry: automotive, financial services, food service, entertainment, investment management. ShinyHunters is not targeting specific sectors. They are targeting any organization where a helpdesk phone call is part of the credential recovery process.

Three Controls That Actually Defend Against Vishing

Technical security controls are necessary but not sufficient against social engineering. The organizations that defend against vishing attacks successfully combine procedural controls with cultural expectations.

1. Out-of-band identity verification for credential resets. Before any credential is reset or authentication is bypassed over the phone, require the caller to verify identity through a separate channel — a pre-registered email, a manager approval, a callback to the employee’s documented number. The verification step cannot be completed using information the caller provides during the call itself. “I’m calling from IT, here’s my employee ID” is not verification.

2. Phishing-resistant MFA for privileged access. Standard MFA — one-time codes, push notifications, number matching — can be bypassed through social engineering. Phishing-resistant authentication methods, such as hardware security keys or passkeys, require physical possession of a registered device and cannot be transferred over a phone call. For your highest-value access points, standard MFA is no longer sufficient.

3. Empower employees to slow down and verify. Helpdesk staff need explicit permission — and organizational backing — to refuse a credential reset when verification cannot be confirmed. Urgency is a social engineering tool. Attackers who claim they’re locked out of something critical and need access immediately are using pressure to override procedure. A culture where “I need to verify this before I can help you” is the expected and supported response is one of the most effective defenses against vishing.

The Cost of Getting This Wrong

According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a breach for U.S. organizations reached a record $10.22 million. CarGurus has not disclosed the financial impact of their incident. But for context: the 12.5 million records stolen include finance pre-qualification data — information that could be used for targeted fraud, identity theft, and follow-on phishing attacks against people who were simply shopping for a car.

The cost is not just financial. ShinyHunters’ model includes public shaming — posting stolen data when extortion fails, as they did with CarGurus. The reputational damage, customer notification requirements, and regulatory scrutiny that follow a public breach add costs that go well beyond the immediate incident response.

A phone call costs an attacker almost nothing. The verification procedures that stop that call cost an organization very little to implement. The math argues strongly for getting the procedures right before the call comes in.

---

centrexIT has protected businesses since 2002. If the CarGurus breach raises questions about your own helpdesk procedures or SSO security posture, we can help you find out where you stand.

Take the 2-Minute Cybersecurity Assessment

Sources

• TechCrunch: “CarGurus data breach affects 12.5 million accounts” — February 24, 2026
• SecurityWeek: “CarGurus Data Breach Impacts Over 12 Million Users” — February 25, 2026
• The Register: “ShinyHunters claims it drove off with 1.7M CarGurus records” — February 2026 (includes other victim list: Betterment, Panera Bread, Match Group, CarMax, Edmunds, Mercer Advisors, Beacon Pointe Advisors)
• Have I Been Pwned: CarGurus Data Breach — breach verification, 12M+ email addresses confirmed
• Verizon: 2025 Data Breach Investigations Report — human element involved in 60% of all breaches
• IBM: Cost of a Data Breach Report 2025 — U.S. average breach cost $10.22M

At some point in a conversation about managed IT services, someone usually asks a version of the same question.

“If AI is monitoring our systems around the clock, what exactly does a human IT team do?”

It’s a reasonable question, and the answer matters if you’re trying to evaluate what you’re actually getting from a managed services provider in 2026.

The short version: AI and human IT professionals are good at different things. The gap between a strong managed IT provider and a mediocre one isn’t which tools they use—everyone has monitoring tools now. The gap is in how effectively human judgment and AI capability work together.

What AI Monitoring Actually Does

Modern network monitoring tools powered by AI do things human teams genuinely cannot. They watch thousands of data points simultaneously—network traffic patterns, login behaviors, device health metrics, file access activity, endpoint events—without fatigue, distraction, or working hours.

They detect anomalies in milliseconds. A login attempt from an unusual location at 3 AM registers immediately. A sudden spike in outbound data transfer triggers an alert before a human analyst has seen it. A pattern of failed authentication attempts that suggests credential stuffing surfaces across multiple systems at once.

For high-volume, pattern-matching work, AI doesn’t perform as well as human analysts. It outperforms them. Speed, consistency, and the ability to correlate signals across systems that a human might not connect until hours later are genuine advantages that AI monitoring tools deliver.

These capabilities are real. Any managed IT provider worth working with uses them.

Where AI Monitoring Falls Short

Here’s what doesn’t show up in the product demo.

AI monitoring tools surface signals. They identify what looks anomalous based on patterns. But they have no way of knowing whether an anomaly is actually a problem or whether context makes it expected and harmless.

A login from an unfamiliar location at an unusual hour looks identical whether it’s an attacker who stole a credential or your CFO logging in from a hotel in Tokyo where she’s attending a board meeting she mentioned to your IT team two weeks ago.

The monitoring system sees the same data either way. An automated response treats both situations identically. A human team that knows your business knows the difference.

This is the gap that separates AI monitoring from AI-amplified IT support: context. The knowledge of who your people are, what your business does, what’s unusual versus what’s legitimately different, and when acting on an alert would create more problems than it solves.

<<Take Our 2-Minute Security Assessment>>

centrexIT has helped organizations build layered IT and security programs since 2002. If you want to understand where your current monitoring setup has gaps, we can help you find them quickly.

What Human IT Teams Actually Do

In an AI-augmented IT support model, human professionals are not doing what AI does, slower. They’re doing what AI can’t do at all.

They maintain the relationships and context that make alert triage meaningful. They know which users handle sensitive data regularly and which ones triggering a data access alert are behaving unexpectedly. They know which systems are undergoing planned changes and which change represents a problem.

They make judgment calls on ambiguous situations. Is this a security incident or a configuration issue that needs to be escalated to a vendor? Is this user behavior suspicious or does it fit a pattern that’s been discussed? Is this network anomaly a threat or a large file transfer that someone mentioned last week?

They handle the communication and coordination that happens when something goes wrong. Keeping stakeholders informed. Working with vendors when issues involve third-party systems. Explaining what happened and what it means to people who aren’t IT professionals.

They review what AI surfaces and decide what to do about it. Not every alert warrants the same response. Prioritization, escalation decisions, and the judgment about when to wake someone up at 3 AM versus when to handle it quietly without disrupting anyone—these decisions require human judgment about business context that AI doesn’t have.

The Research on Human-AI Collaboration

The case for combining human expertise with AI tools isn’t theoretical. Harvard Business School researchers studying 791 professionals at Procter & Gamble found that human teams working with AI outperformed all other groups—including individuals using AI and teams working without it. The researchers described AI as capable of acting as a “cybernetic teammate,” but concluded that for top-tier performance, a full human team plus AI is the combination that wins.

The finding isn’t that AI replaces team members or that teams can be smaller. It’s that the combination produces outcomes neither can reach independently. In managed IT, that translates directly: AI provides the speed and coverage that human-only monitoring can’t match, and the human team provides the context and judgment that make monitoring data meaningful.

What to Ask Your Managed IT Provider

As AI becomes standard in managed IT services, the right question isn’t whether a provider uses AI monitoring tools. Almost everyone does or will soon. The questions that actually differentiate providers are:

Who reviews the alerts that AI surfaces? Is there a human team evaluating what AI flags, or are automated responses handling incidents without human oversight?

How do they account for context? What happens when an alert fires for a situation that has a benign explanation? Does the team know your business well enough to recognize those situations?

What’s the escalation path? When does human intervention happen, and who makes that call?

How do they handle the situations AI isn’t designed for—the communication, the coordination, the judgment calls that require understanding your business, not just your systems?

The answers to these questions tell you more about the quality of a managed IT relationship than the technology stack does.

The centrexIT Model

When we describe centrexIT as “People-First. AI-Amplified.” this is the operational reality behind that positioning.

AI handles the watch. Our team makes the calls. AI provides speed and coverage that human-only monitoring can’t match. Our team provides the context, judgment, and relationships that transform monitoring data into actual protection.

Neither component works as well without the other. The combination produces IT support that knows your business—not just your systems—and responds accordingly.

Since 2002, the foundation of how we work has been the same: real people who know their clients, supported by the best tools available. AI changes the tools significantly. It doesn’t change the foundation.

See Where Your Current IT Setup Stands

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Source

• Dell’Acqua, F., Ayoubi, C., Lifshitz, H., Sadun, R., Mollick, E., et al. “The Cybernetic Teammate: A Field Experiment on Generative AI Reshaping Teamwork and Expertise.” Harvard Business School Working Paper, No. 25-021, 2024. Available via Harvard Business School Working Knowledge: https://www.library.hbs.edu/working-knowledge/when-ai-joins-the-team-better-ideas-surface

From 5 Hours to 72 Minutes

In 2024, attackers who breached a network needed roughly 285 minutes to find and steal sensitive data. Nearly five hours from initial access to exfiltration.

In 2025, that window collapsed to 72 minutes.

That finding comes from Palo Alto Networks’ 2026 Unit 42 Global Incident Response Report, which analyzed more than 750 real-world incidents across 50 countries. The report describes AI as a “force multiplier” for attackers—automating reconnaissance, generating convincing phishing emails, and exploiting vulnerabilities within minutes of public disclosure.

The implication is straightforward: the defenses most organizations rely on were designed for threats that moved in hours or days. Those threats now move in minutes.

What AI Changes for Attackers

AI hasn’t replaced human attackers. It’s made them faster and more effective at every stage of an intrusion.

Reconnaissance that once required days of manual scanning now happens in minutes. AI systems can probe thousands of potential entry points, analyze publicly available information, and identify the weakest links in a target’s infrastructure—all before a human operator makes a single decision.

Phishing has undergone a similar transformation. AI-generated phishing emails now achieve a 54% click-through rate, compared to roughly 12% for manually crafted attempts. The emails are grammatically flawless, contextually personalized, and nearly indistinguishable from legitimate communications.

Once inside a network, the acceleration continues. The Unit 42 report found that 87% of incidents spanned two or more attack surfaces simultaneously—endpoints, cloud environments, SaaS applications, and identity systems. Attackers aren’t moving through one door and down one hallway. They’re moving through multiple doors at once.

Take Our 2-Minute Security Assessment

centrexIT has helped San Diego businesses assess and strengthen their security posture since 2002. Understanding where you stand is the first step.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

The Identity Problem

Here’s the finding that should redirect security budgets: 90% of the breaches Unit 42 investigated involved identity weaknesses as a material factor.

Not sophisticated zero-day exploits. Not nation-state-level hacking tools. Identity weaknesses. Stolen credentials, misconfigured access controls, overprivileged accounts, and weak authentication.

Sam Rubin, SVP of Unit 42 Consulting and Threat Intelligence, described the core issue as “operational sprawl and over-trust in interconnected systems.” Organizations have expanded their technology footprints—cloud services, SaaS applications, remote access tools—without tightening the identity controls that govern who can access what.

Attackers have noticed. Rather than investing effort in complex technical exploits, they’re increasingly bypassing software vulnerabilities entirely and targeting the credentials that unlock everything.

Why Speed Alone Isn’t the Answer

It’s tempting to read “72 minutes” and conclude that security teams simply need to respond faster. That’s partially true. But speed without fundamentals is just faster chaos.

The Unit 42 report found that misconfigurations and security gaps were present in 90% of investigated breaches. Exposed services, overly broad permissions, weak controls around cloud resources, and fragmented monitoring created the conditions attackers exploited.

In other words, many of these attacks succeeded not because defenders were too slow, but because the environment was already compromised by its own complexity. Attackers didn’t need to be fast when the doors were already open.

The practical takeaway: before investing in faster detection tools, verify that your identity controls, access permissions, and configuration management are actually functioning. The most sophisticated threat detection in the world doesn’t help if every user has admin access and your cloud storage is publicly readable.

What AI-Amplified Defense Actually Looks Like

If AI is a force multiplier for attackers, the same technology has to serve defenders. Organizations using AI-powered security tools detect threats roughly 60% faster and reduce breach costs by an average of $1.9 million per incident, according to IBM’s analysis.

But AI-amplified defense isn’t about replacing security teams with algorithms. It’s about giving human analysts the speed and coverage they can’t achieve alone.

Automated monitoring that watches every access attempt, every configuration change, and every anomalous pattern across endpoints, cloud, and identity systems—continuously, at machine speed. Human expertise that investigates alerts, makes judgment calls, and adapts strategy based on business context no algorithm can fully understand.

People directing. AI executing. People verifying.

That’s the model the threat landscape now demands. Not human OR machine. Human AND machine, working together.

What This Means for Your Business

You don’t need to match the sophistication of the attackers described in the Unit 42 report. But you need to close the gaps they’re walking through.

Start with identity. Multi-factor authentication prevents 99.9% of account compromises, according to Microsoft. That single control addresses the entry point used in the vast majority of breaches.

Review access privileges. How many people have admin access who don’t need it? How many service accounts have standing permissions that should be just-in-time? How many former employees still have active credentials?

Assess your monitoring coverage. Can you see what’s happening across your endpoints, cloud environments, and identity systems? Or are there blind spots where an attacker could operate for 72 minutes—or 72 days—without detection?

The attacks are faster. The entry points haven’t changed. And the organizations that get the fundamentals right are the ones that survive what’s coming.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT has protected businesses since 2002. AI-amplified attacks require AI-amplified defense—but it starts with understanding your current posture.

 

 

 

Sources

• Palo Alto Networks Unit 42 2026 Global Incident Response Report
• CSO Online – “Cyber attacks enabled by basic failings, Palo Alto analysis finds” (February 2026)
• SecurityBrief – “AI-fuelled cyber attacks now steal data in 72 minutes” (February 2026)
• BusinessWorld – “AI-driven cyberattacks now breach systems in 72 minutes, study finds” (February 23, 2026)
• IBM Cost of a Data Breach Report 2025 – AI defense savings data
• Microsoft – Multi-factor authentication effectiveness data

The Defenders Became the Attackers

On December 30, 2025, the Department of Justice announced that two American cybersecurity professionals had pleaded guilty to conspiring to launch ransomware attacks against US companies.

Not hackers who learned their trade on dark web forums. Not foreign actors operating from jurisdictions beyond US law. Security industry professionals employed by reputable firms — people whose jobs were specifically to protect organizations from ransomware.

Ryan Goldberg, 40, worked as an incident response manager at Sygnia, an Israeli-owned cybersecurity firm. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a company that helps organizations respond to ransomware attacks. A third unnamed co-conspirator remains under investigation.

Together, they deployed BlackCat/ALPHV ransomware against at least five US companies, including three healthcare organizations. They successfully extorted approximately $1.2 million in Bitcoin from a Tampa medical device manufacturer.

Take Our 2-Minute Security Assessment

centrexIT has helped organizations assess their security posture since 2002. If you’re concerned about how insider threats could affect your business, let’s find out together.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

How Security Expertise Became a Weapon

The defendants weren’t just cybersecurity employees — they were specialists in ransomware response. Goldberg’s job involved helping organizations recover from attacks. Martin’s job involved negotiating with attackers to reduce ransom demands and manage incident response.

That expertise translated directly into attack capability. They understood how organizations detect intrusions. They knew the incident response playbooks. They knew how companies evaluate whether to pay ransoms and how ransom negotiations typically proceed.

According to court documents, the three men obtained an affiliate account with the BlackCat/ALPHV ransomware operation in May 2023. They agreed to pay BlackCat’s administrators a 20% cut of any ransoms received in exchange for access to the ransomware toolkit and extortion platform.

Between May 2023 and April 2025, they launched attacks against five companies. Only one paid — a medical device manufacturer that transferred $1,274,781.23 in cryptocurrency. After BlackCat’s 20% cut went to the Russian-linked developers, the three conspirators split their 80% share and laundered the funds through cryptocurrency mixing services.

What BlackCat/ALPHV Was

BlackCat/ALPHV was one of the most prolific ransomware operations before its disruption. The group targeted more than 1,000 organizations globally using a ransomware-as-a-service model, where core developers built and maintained the ransomware while affiliates like Goldberg and Martin carried out attacks.

Notable victims included MGM Resorts (which suffered devastating operational disruptions) and Change Healthcare, whose breach affected 192.7 million individuals — the largest healthcare data breach in US history. In the Change Healthcare attack, the ransomware gang encrypted servers and extracted 6 terabytes of protected health information, demanding and receiving a $22 million ransom.

In December 2023, the FBI disrupted BlackCat’s infrastructure, seized their dark web sites, and developed a decryption tool that helped hundreds of victims recover systems without paying ransoms — saving an estimated $99 million. But the operation had already caused massive damage, and affiliates like Goldberg and Martin continued attacking during the disruption.

The Insider Threat Reality

This case illustrates an uncomfortable truth: the skills that make someone an effective cybersecurity professional also make them a potentially dangerous threat.

Security teams need system access to do their jobs. Incident responders need to understand attack techniques to identify and counter them. Threat analysts need to study criminal operations to anticipate them.

That knowledge and access cuts both ways.

Most cybersecurity professionals are exactly what they appear to be — dedicated defenders working to protect organizations. But the Goldberg/Martin case demonstrates that vetting, monitoring, and access controls matter even for (perhaps especially for) security personnel.

“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva. “Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets.”

What This Means for Organizations

The case raises difficult questions about trust in security partnerships and internal security teams.

Background checks and reference verification matter, but they wouldn’t have caught Goldberg or Martin. Both had legitimate employment histories and professional credentials. The crimes weren’t visible until law enforcement connected the dots.

More practical safeguards focus on limiting damage rather than predicting betrayal. Principle of least privilege means security personnel have access only to what they need, not blanket administrative rights. Separation of duties ensures no single person can execute critical actions without oversight. Audit logging creates accountability trails for sensitive access.

For organizations working with external security vendors, the calculus is similar. Verify credentials and references, but also structure engagements to limit exposure. Don’t give incident responders more access than they need for specific tasks. Maintain independent logging that the vendor can’t modify. Conduct your own verification of findings and recommendations.

None of this is foolproof. A determined insider with the right access can cause significant damage. But the goal is risk reduction, not risk elimination.

The Accountability Question

Goldberg and Martin face maximum penalties of 20 years in prison. They’ve agreed to forfeit $324,123.26 each — roughly their individual shares of the laundered ransom. Sentencing is scheduled for March 12, 2026.

DigitalMint, Martin’s former employer, issued a statement: “We strongly condemn his actions, which were undertaken without the knowledge, permission, or involvement of the company.” Sygnia, Goldberg’s former employer, confirmed he was terminated immediately upon learning of the situation.

For the victims — including three healthcare organizations — the recovery continues. Ransomware attacks cause damage beyond the ransom payment itself: operational disruption, forensic investigation costs, regulatory compliance concerns, and reputational impact.

And for the cybersecurity industry, the case serves as a reminder that trust must be earned and verified continuously, not assumed based on job titles or professional affiliations.

Take Our 2-Minute Security Assessment

centrexIT has helped organizations think through security challenges since 2002. Insider threat is one of many concerns that requires thoughtful governance and appropriate controls.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

• US Department of Justice Press Release (December 30, 2025)
• Reuters (December 30, 2025) – “Two US Cyber Experts Plead Guilty”
• The Record from Recorded Future News (December 30, 2025)
• Bank Info Security (December 30, 2025) – “2 Cyber Pros Admit to Being BlackCat Affiliates”
• SiliconANGLE (December 30, 2025)

Why AI Policies Matter Now

A year ago, AI policy was a “nice to have” for most businesses. Today, it’s a necessity. Employees are already using AI tools for work—whether you’ve approved them or not. The question isn’t whether to address AI governance but how to do it in a way that works.

The best AI policies share common characteristics: they’re clear enough to follow, flexible enough to be practical, and specific enough to actually guide decisions. The worst policies are either so restrictive that everyone ignores them or so vague that they provide no real guidance.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses develop technology policies since 2002. If you’re not sure where to start with AI governance, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

The Core Components of an AI Policy

Every effective AI acceptable use policy addresses these elements:

Scope: Who does this policy apply to? Employees, contractors, vendors? Does it cover only AI tools used for work, or also personal AI use on company devices?

Data classification: What types of information can interact with AI tools? Public information might have different rules than customer data, financial records, or proprietary processes.

Approved tools: Which specific AI tools are sanctioned for business use? Naming specific tools is clearer than describing categories.

Prohibited uses: What activities are explicitly not allowed? This might include processing regulated data, making final decisions without human review, or representing AI-generated content as human-created.

Accountability: Who is responsible for AI-generated outputs? If AI helps draft a customer communication that contains an error, who owns that mistake?

Review and updates: How often will the policy be reviewed? AI tools and capabilities change rapidly—policies need to keep pace.

AI Acceptable Use Policy Template

The following is a framework you can adapt for your organization. This is a starting point, not a complete policy—customize based on your industry, size, regulatory requirements, and risk tolerance.

Implementation Tips

Creating a policy is just the first step. Making it work requires additional effort:

Communicate clearly: Don’t just email the policy and hope people read it. Walk teams through what it means for their specific work. Answer questions. Provide examples.

Make approved tools available: If you’re requiring enterprise AI tools, ensure employees actually have access to them. Nothing undermines a policy faster than approving tools nobody can use.

Provide training: Help employees understand not just the rules but the reasons. People who understand why AI governance matters make better decisions in ambiguous situations.

Create a feedback channel: Employees will encounter situations the policy doesn’t explicitly address. Give them a way to ask questions and flag issues. Use that feedback to improve the policy.

Review and adjust: AI capabilities change rapidly. A policy that made sense six months ago might need updates. Schedule regular reviews to ensure your guidance remains relevant.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses develop and implement technology policies since 2002. If you’re looking to establish AI governance that works, let’s find out together how we can help.

Take the 2-Minute Cybersecurity Assessment

Sources

• NIST – “AI Risk Management Framework” (2024)
• Gartner – “Enterprise AI Governance Recommendations” (2025)
• IEEE – “Ethical AI Implementation Guidelines” (2024)

I talked to a business owner last month who told me they’d decided to “just ban AI” at their company. No ChatGPT. No Copilot. No AI tools of any kind.

I asked how that was going.

“Honestly? I have no idea if anyone’s following the policy.”

That’s the problem with prohibition: it doesn’t work. Employees who find tools useful will use them regardless of policy. The only difference is whether they do it openly or hide it.

Why Most AI Policies Fail

I’ve seen a lot of AI policies over the past year. The ones that fail share common characteristics:

They try to ban everything. This ignores the reality that AI tools provide genuine productivity benefits. When policies conflict with getting work done, work wins.

They’re written by legal teams in isolation. Policies filled with legalese that nobody reads don’t change behavior. They just provide CYA documentation.

They don’t distinguish between different types of AI use. Using AI to draft a marketing email is different from using AI to analyze customer health records. Policies that treat all AI use identically miss the nuance.

They require approval processes that create friction. If using an approved AI tool requires submitting a request and waiting three days for approval, employees will use unapproved tools with zero wait time.

The policies that work look completely different.

What Actually Works

The businesses I’ve seen successfully manage AI adoption share a different approach:

They start with data classification, not tool restrictions. Before deciding which AI tools are acceptable, they define what data is sensitive. Customer information. Financial records. Proprietary processes. Employee data. Once you know what needs protection, you can evaluate tools based on how they handle that specific information.

They approve specific tools rather than categories. Instead of saying “you can use AI for X but not Y,” they identify specific tools that meet their security requirements. “Use Microsoft Copilot for document work. Use Claude for analysis. Don’t paste customer data into any AI tool.”

They make compliance easier than non-compliance. If the approved AI tool is readily available and works well, employees have no reason to seek alternatives. If the approved tool requires jumping through hoops while ChatGPT is two clicks away, you’ve already lost.

They train on principles, not just rules. Employees who understand why AI governance matters make better decisions in situations the policy doesn’t explicitly cover. “This data is sensitive because…” is more effective than “Don’t do this because the policy says so.”

A Practical Framework

Here’s what I recommend for businesses that want AI governance without bureaucratic overhead:

Tier 1: Public information. Marketing content, general research, public-facing communications. These can use any reputable AI tool with minimal restrictions.

Tier 2: Internal information. Internal processes, non-sensitive business data, general productivity tasks. These should use approved enterprise tools with business accounts, not personal subscriptions.

Tier 3: Sensitive information. Customer data, financial records, employee information, proprietary processes. These either require specially configured AI tools with appropriate data handling agreements, or they don’t touch AI at all.

The framework is simple: know what category your data falls into, and you know what tools you can use with it.

The Training Component

Policies without training are just documents. The businesses that make this work invest time in helping employees understand the why.

Why does it matter where data is processed? Because AI tools send information to external servers that you don’t control.

Why do enterprise tools cost more? Because they come with data handling agreements, admin controls, and compliance features that free tiers don’t include.

Why can’t we just use whatever’s convenient? Because convenience without security creates risk that compounds over time.

When employees understand the reasoning, they become partners in governance rather than obstacles to it.

Making It Real

I’ll be honest: creating an AI policy isn’t the hard part. Following through is. You need to actually provide the approved tools. You need to train people on using them. You need to check periodically whether the policy is being followed or ignored.

The businesses that succeed treat AI governance as an ongoing process, not a one-time project. They review their approved tools quarterly. They survey employees about what’s working and what’s not. They adjust based on what they learn.

The businesses that fail publish a policy, send an all-hands email, and assume the job is done.

Where to Start

If you don’t have AI governance yet, here’s the minimum viable approach:

This week: Find out what AI tools employees are actually using. Ask directly. You might be surprised.

This month: Classify your data. What’s public? What’s internal? What’s sensitive? Most organizations already have some sense of this from other compliance work.

This quarter: Identify approved tools for each data tier. Make them available. Train employees on using them.

That’s it. Not a 40-page policy document. Not a committee that meets for six months. Just clarity about what data matters and what tools are acceptable.

AI governance doesn’t have to mean red tape. It just means intentional decisions about how powerful tools interact with your information.

What’s working at your organization? What’s not? I’m always interested in hearing what other business leaders are learning.

Another Retail Giant Falls to Ransomware

Under Armour has confirmed that a ransomware attack resulted in customer data appearing on dark web forums. The breach exposed approximately 72 million customer records—names, email addresses, purchase histories, and in some cases, partial payment information.

For context, 72 million records represents more than the entire population of California, Texas, and Florida combined. This wasn’t a small data leak. This was a catastrophic exposure of customer trust.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses protect customer data and respond to security incidents since 2002. If you’re not sure how your customer data is protected, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

The Anatomy of a Retail Data Breach

Retail companies make attractive ransomware targets for several reasons. They collect massive amounts of customer data—names, addresses, payment information, purchase histories, loyalty program details. They often operate on thin margins that make security investments compete with other priorities. And they typically have complex technology environments spanning point-of-sale systems, e-commerce platforms, supply chain integrations, and corporate networks.

When ransomware operators breach a retail environment, they don’t just encrypt files anymore. Modern ransomware attacks follow a double-extortion model: attackers steal data first, then encrypt systems. If the victim refuses to pay for decryption, the attackers threaten to publish the stolen data. If the victim still refuses, the data hits the dark web—exactly what happened with Under Armour.

According to the Verizon 2025 Data Breach Investigations Report, ransomware was present in 44% of all breaches analyzed—a significant jump from 32% the previous year. The same report found that ransomware attacks rose 37% overall year-over-year, making it the dominant attack pattern across industries.

What Happens When Customer Data Hits the Dark Web

Once customer records appear on dark web forums, they become tools for additional attacks. Here’s what typically happens:

Credential stuffing: Attackers test the stolen email and password combinations against other services. Since many people reuse passwords, a breach at one company can compromise accounts elsewhere.

Phishing campaigns: With detailed purchase histories, attackers can craft convincing phishing emails. “We noticed a problem with your recent Under Armour order” becomes much more believable when they actually know what you ordered.

Identity theft: Names, addresses, and purchase patterns provide building blocks for identity fraud. Combined with information from other breaches, attackers can construct detailed profiles of potential victims.

Secondary sales: Initial buyers on dark web forums often repackage and resell data to other criminal groups, extending the exposure window indefinitely.

The SMB Connection

Under Armour is a multi-billion dollar company with dedicated security teams and significant technology budgets. If they can suffer a breach of this magnitude, what does that mean for smaller businesses?

The uncomfortable truth: small and mid-size businesses face the same threats but often with fewer resources. According to the Verizon 2025 DBIR, 88% of breaches at small and mid-sized businesses involved ransomware. And the Sophos State of Ransomware 2025 report found that the average recovery cost from a ransomware attack—excluding any ransom payment—was $1.53 million.

But there’s a nuance here that matters. Large enterprises get breached because they’re big targets with complex environments and valuable data. SMBs get breached because they’re easier targets with fewer defenses. Different reasons, but the same devastating outcomes.

Lessons for Every Business

The Under Armour breach reinforces several security fundamentals that apply regardless of company size:

Customer data requires special protection. Not all data is equal. Information that identifies individuals—names, addresses, purchase histories, payment details—deserves the highest level of protection because the consequences of exposure are severe and long-lasting.

Backup alone isn’t ransomware protection. Double-extortion attacks mean that even if you can restore from backups, attackers still have your data. Recovery planning must account for data theft, not just system encryption.

Detection speed matters enormously. The longer attackers remain in your environment before detection, the more data they can steal. Reducing dwell time from months to days can mean the difference between a contained incident and a catastrophic breach.

Incident response planning is essential. When a breach occurs, you don’t have time to figure out who does what. Response plans, communication templates, and decision trees need to exist before you need them.

Questions to Ask Your IT Team

Whether you manage IT internally or work with a partner, these questions can help assess your readiness:

Where does our customer data live? Can you map every system, database, and application that stores or processes customer information?

How would we know if data was being exfiltrated? Do you have monitoring that would detect unusual data transfers?

What’s our ransomware response plan? Beyond restoring from backup, how would you handle a situation where attackers have already stolen data?

When did we last test our backups? Having backups is different from having working, restorable, verified backups.

Take Our 2-Minute Security Assessment

centrexIT has helped businesses protect customer data and prepare for security incidents since 2002. If you’re not sure how your organization would handle a ransomware attack, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

Sources

• Malwarebytes: Under Armour ransomware breach (January 2026)
• TechCrunch: Under Armour data breach claims (January 2026)
• Have I Been Pwned: Under Armour breach listing
• Verizon: 2025 Data Breach Investigations Report
• Sophos: The State of Ransomware 2025

I came across a number recently that I haven’t been able to shake.

88%.

That’s the percentage of ransomware breaches last year that hit small and midsize businesses. Not the big guys. Not government. Businesses like the ones we work with every day.

For larger enterprises? That number is 39%.

When I first saw that, I thought there had to be something off with the data. But it checks out. And honestly, when you think about it, the math makes sense.

Why the Shift Happened

I’ve been in this industry for over two decades now, and I’ve watched the target move. The big companies got serious. They built out security teams, layered their defenses, made themselves expensive to go after. So the attackers adjusted.

It’s kind of like that story I heard early in the pandemic about toilet paper. Remember that? Someone explained to me that we didn’t actually have a shortage. The problem was proportion. It used to be 50/50 between commercial and home use. Then overnight it went to 95/5, and the manufacturers just weren’t set up for that shift.

Same thing happened here. Small and midsize businesses adopted cloud platforms, remote work tools, all these connected systems. That’s great for productivity. But most of them moved faster on the technology than they did on the security around it.

Attackers aren’t dumb. They follow the path of least resistance. Right now, that path runs straight through the mid-market.

The Assumption That Gets People in Trouble

I still hear it from business owners all the time: “We’re not big enough to be worth going after.”

I get why people think that. But here’s what that misses.

These attacks aren’t hand-crafted for each victim anymore. They’re automated. Attackers are running broad campaigns that scan thousands of organizations at once. They don’t care about your revenue. They care about whether your door is open.

And here’s the part that really concerns me: the window between “someone got in” and “everything is locked” has shrunk to about five days. Most businesses don’t even know they’ve been compromised in that timeframe.

Then there’s this: 69% of companies that paid a ransom got hit again. Once you’re marked as someone who pays, you become a repeat target. That’s really a thing now.

What We’re Seeing Work

Look, I’m not going to pretend we have all the answers. We’re far from perfect. But after watching this play out across dozens of organizations, you start to see patterns.

The ones that stay protected tend to share a few things:

They actually know what they have. You can’t protect systems you don’t know exist. Shadow IT, old cloud accounts nobody remembers, contractor access that never got turned off. These gaps are where attackers get in.

They’ve shifted their mindset. Instead of trying to prevent everything, they’re focused on detecting and responding quickly. Perfect prevention isn’t realistic. Fast containment is.

They treat security as ongoing operations, not a one-time project. The businesses that get hit are often the ones who did an audit two years ago and figured they were covered.

They have people watching. The tools are important, but the tools alone aren’t enough. You need people who can see context, who can catch the things that don’t fit a pattern. That’s really what we mean when we talk about People-First, AI-Amplified. The technology makes the people more effective. It doesn’t replace the judgment.

The Question Worth Asking

Here’s what I’d challenge you to think about: if someone started probing your systems tonight, how long would it take you to know?

Not how long until they got in. How long until you noticed someone was trying.

If the honest answer is “I have no idea,” that’s the gap worth closing.

The 88% number isn’t going down anytime soon. But whether your organization ends up part of that statistic is still something you can control.

Let’s Talk About Where You Stand

If you’re not sure what your security gaps look like, I’m happy to spend 30 minutes walking through it with you. No pitch, no pressure. Just an honest conversation about what’s working and what’s not.

Schedule a free 30-minute session

Sources

• Verizon 2025 Data Breach Investigations Report
• Sophos State of Ransomware 2025
• VikingCloud Ransomware Statistics 2026

Five browser extensions were just removed from the Chrome Web Store after security researchers discovered they were stealing login credentials from enterprise HR and business platforms.

The extensions posed as productivity tools for Workday, NetSuite, and SAP SuccessFactors. Instead, they harvested authentication cookies every 60 seconds, blocked security administration pages to prevent incident response, and enabled complete account takeover—all while bypassing multi-factor authentication.

Over 2,300 users installed them before removal. Some are still available on third-party download sites.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

What Happened

On January 15, 2026, security researchers at Socket discovered five malicious Chrome extensions operating as a coordinated attack campaign. The extensions shared identical code structures, API patterns, and infrastructure despite appearing under different publisher names.

The five malicious extensions were:

• DataByCloud 1 (1,000 installs)
• DataByCloud 2 (1,000 installs)
• DataByCloud Access (251 installs)
• Tool Access 11 (101 installs)
• Software Access (unknown installs)

All marketed themselves as tools to streamline access to enterprise platforms, promising faster workflows and bulk account management.

None delivered on those promises. Instead, they executed three distinct attack types simultaneously.

How the Attack Worked

Cookie theft every 60 seconds. The extensions continuously extracted authentication cookies from targeted platforms including Workday, NetSuite, and SAP SuccessFactors. These cookies contain active login tokens that allow access without re-entering credentials. The stolen data was encrypted and sent to remote servers controlled by the attackers.

Security page blocking. Two of the extensions actively blocked access to security administration pages within Workday. When administrators tried to access authentication policies, IP range settings, password reset functions, or audit logs, the pages either displayed blank content or redirected elsewhere. This prevented IT teams from responding to the breach or even detecting unusual activity.

Session hijacking. Using the stolen cookies, attackers could take over authenticated sessions without needing usernames, passwords, or MFA codes. The session tokens were already validated—the attackers simply injected them into their own browsers and gained full access.

Why This Bypassed MFA

Multi-factor authentication protects the login process. It verifies identity when you enter credentials. But once you’re logged in, your session is maintained by cookies and tokens—not continuous MFA checks.

These extensions stole the session tokens after authentication was complete. The attackers didn’t need to bypass MFA because they were hijacking sessions that had already passed all security checks.

This is why session management and browser security matter as much as strong authentication.

What to Do Now

If your organization uses Chrome and accesses HR or business platforms through the browser, take these steps:

Audit installed extensions. Open Chrome, go to the extensions page (chrome://extensions), and review everything installed. Specifically check for and remove these five extensions if present: DataByCloud 1, DataByCloud 2, DataByCloud Access, Tool Access 11, and Software Access. Also remove anything else unfamiliar, especially tools claiming to provide access to HR or ERP platforms. Legitimate enterprise platforms don’t require third-party browser extensions.

Check across all devices. If Chrome sync is enabled, malicious extensions may have spread to multiple devices. Audit each one separately.

Review authentication logs. Check Workday, NetSuite, or SuccessFactors admin panels for unexpected sessions, unfamiliar IP addresses, or access from unusual locations during the period any suspicious extensions were installed.

Reset passwords from a clean system. If you suspect exposure, change passwords—but do it from a device you’ve verified is clean. Resetting from an infected browser means the new credentials get stolen immediately.

Implement extension allowlists. Chrome Enterprise allows organizations to restrict which extensions can be installed. Consider implementing allowlists that only permit approved, vetted extensions.

The Bigger Picture

Browser extensions are one of the most overlooked attack vectors in enterprise security. They run inside the browser with access to everything you access—passwords, session tokens, sensitive data, internal systems.

Traditional perimeter security doesn’t see them. Endpoint protection often ignores them. They bypass network monitoring entirely because the data theft happens within encrypted browser sessions.

Most organizations don’t have policies governing what extensions employees can install. Most don’t audit installed extensions regularly. Most wouldn’t know if an extension was exfiltrating data right now.

This attack worked because browser security is still treated as an afterthought in most enterprise environments. That needs to change.

---

Take Our 2-Minute Security Assessment

centrexIT has protected businesses since 2002. Browser security is just one piece of a comprehensive security posture. Find out where your organization stands.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

---

Sources

• Socket Security Research (January 15, 2026): “5 Malicious Chrome Extensions Enable Session Hijacking in Enterprise HR Platforms”
• The Hacker News (January 16, 2026): “Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts”
• BleepingComputer (January 16, 2026): “Credential-stealing Chrome extensions target enterprise HR platforms”
• Infosecurity Magazine (January 19, 2026): “Malicious Google Chrome Extensions Hijack Workday and Netsuite”

Businesses are asking “should we adopt autonomous systems?” when the better question is “are we ready to adopt autonomous systems?”

Those are very different questions. And the honest answer for many organizations is: not yet.

Here’s why that’s okay—and how to know where you stand.

The Readiness Gap Nobody Talks About

Accenture research shows that only 12% of companies have reached what they call “AI maturity”—the organizational readiness to deploy autonomous systems effectively.

That means 88% of businesses are somewhere on the journey, but not at the destination.

The problem isn’t the technology. AI systems that can monitor networks, respond to incidents, optimize performance, and manage routine operations already exist. They work.

The problem is organizational readiness. Autonomous systems require foundations that many businesses haven’t built yet. Trying to deploy AI before you’re ready doesn’t accelerate progress—it creates expensive failures.

Take the Assessment: https://centrexit.com/cyber-security-readiness-assessment/

The Four Readiness Pillars

After working with dozens of organizations at different stages of this journey, we’ve identified four pillars that determine whether autonomous systems will help you or hurt you.

1. Process Clarity

Autonomous systems execute processes. If your processes aren’t documented, standardized, or consistently followed, giving them to AI just automates chaos.

Ask yourself: If someone asked “how do we handle a security alert?” would five different team members give the same answer? If not, you’re not ready for automation.

You need: Documented workflows, clear escalation paths, and consistent execution. AI can’t create process discipline—it can only amplify what already exists.

2. Data Foundation

AI systems learn from data. If your data is incomplete, inconsistent, or trapped in disconnected systems, autonomous operations will make decisions based on incomplete information.

Ask yourself: Can you easily access accurate data about system performance, user activity, security events, and operational metrics? If gathering that information requires manual effort across multiple tools, your data foundation isn’t ready.

You need: Centralized logging, consistent monitoring, integrated systems, and clean data pipelines. Not perfect data—but reliable, accessible, consistent data.

3. Trust Infrastructure

Autonomous systems require trust—but that trust has to be earned through proven reliability in controlled scenarios.

Ask yourself: Do you have environments where AI can prove itself with limited risk? Can you test autonomous decision-making in non-critical systems before expanding to critical operations?

You need: Sandbox environments, pilot programs, and a phased implementation approach that views AI deployment as gradual adoption, not binary commitment. Trust builds gradually, not overnight.

4. Governance Framework

This is the pillar most organizations skip—and it’s the most critical.

Autonomous systems need clear boundaries. What decisions can AI make independently? What requires human review? What’s completely off-limits to automation?

Ask yourself: If an AI system made a decision that caused a problem, would your team know who’s accountable and what the review process looks like? If the answer is unclear, your governance isn’t ready.

You need: Defined decision authority, accountability structures, override mechanisms, and audit capabilities. AI doesn’t eliminate responsibility—it changes how responsibility is structured.

The Readiness Assessment Framework

Here’s a practical framework to evaluate where you stand:

Level 1: Foundation Building

• Processes are inconsistent or undocumented
• Data exists but isn’t centralized or reliable
• No formal AI governance discussions
• Team skeptical or uncertain about AI

What this means: You’re not ready for autonomous systems yet—but you can start building readiness. Focus on process documentation and data centralization first.

Level 2: Readiness Emerging

• Core processes documented and followed
• Monitoring and logging mostly centralized
• Exploring AI capabilities in limited pilots
• Some governance conversations happening

What this means: You’re building the foundation. Start small-scale pilots in non-critical areas. Use these to build trust and refine governance.

Level 3: Deployment Ready

• Standardized processes across operations
• Reliable, accessible data infrastructure
• Successful pilots with measurable outcomes
• Clear governance framework in place

What this means: You’re ready to expand autonomous systems into production operations. Start with bounded decision-making and expand based on proven results.

Level 4: Operational Maturity

• Autonomous systems handling routine operations
• Continuous learning from operational data
• Mature governance with clear accountability
• Team confidently directing AI systems

What this means: You’re in the 12%. Now the focus shifts to optimization, expanding capabilities, and continuous improvement.

Why Readiness Matters More Than Speed

Companies rush toward autonomous systems because competitors are doing it, or because they feel pressure to “innovate,” or because AI becomes a board-level discussion topic.

The ones who succeed aren’t the fastest to adopt. They’re the ones who build readiness first.

Here’s what happens when organizations skip readiness:

Autonomous systems make bad decisions based on incomplete data. Teams lose trust in AI capabilities. Governance failures create accountability gaps. The organization concludes “AI doesn’t work” when the real problem was “we weren’t ready.”

Contrast that with phased, readiness-based adoption:

Small pilots prove value in controlled environments. Teams build confidence through successful experiences. Governance frameworks prevent surprises. The organization expands AI capabilities because they’ve earned trust through demonstrated results.

Same technology. Completely different outcomes. The difference is readiness.

Where to Start Based on Your Level

If you’re at Level 1, most organizations are still building foundations with you. Your next step isn’t AI deployment—it’s process documentation and data centralization.

If you’re at Level 2, you’re in the pilot phase. Run small experiments in non-critical systems. Build governance frameworks before expanding. Let trust develop through proven performance.

If you’re at Level 3 or 4, you’re ahead of most. Your focus shifts to optimization, risk management, and scaling what’s working.

The autonomous IT era is coming—but it’s not a race where speed wins. It’s a transformation where readiness determines success.

Assess honestly where you stand. Build the foundations that matter. Deploy when you’re ready, not when you feel pressured.

That’s how organizations get autonomous systems that actually work.

Take Our 2-Minute Security Assessment

Readiness starts with understanding where you currently stand. Our cybersecurity assessment helps identify gaps in your foundation—the same foundation autonomous systems require.

centrexIT has helped San Diego businesses operate with confidence since 2002. Now we’re helping them prepare for what comes next.

Take the Assessment: https://centrexit.com/cyber-security-readiness-assessment/