Real‑World Cyber Incidents Hitting Small U.S. Tech Businesses

Posted On September 10, 2025In Cybersecurityby Michigan SBDC

Think a cybersecurity attack couldn’t happen to your small business? That’s what they thought, too. Whether you’re celebrity real estate developer Barbara Corcoran, a rural hospital or an online grocery delivery startup, your small business is a potential target. Still don’t believe it? Check out the examples below.

Barbara Corcoran Business Email Compromise

BEC / Phishing

St. Margaret’s Health Closure

Ransomware

Weee! Grocery Data Exposed

Data Breach

Discord.io Shutdown After Hack

Data Leak

Young Consulting (Connexure) Ransomware

Ransomware

CloudNordic Hosting Wiped

Ransomware

National Public Data Mega‑Leak

Data Breach

KiranaPro Cloud Wipe

Insider / Cloud

Barbara Corcoran Company – Business Email Compromise (BEC) Phishing Scam

Summary: A realistic invoice email came from a look‑alike address, convincing the bookkeeper to wire almost $380,000 overseas before the fraud was caught.

Mitigation Tips (plain‑English)

Confirm big payments by phone or in person. A quick call would have exposed the fake email.
Block spoofed emails. Settings such as Domain‑based Message Authentication, Reporting and Conformance (DMARC) reject help stop impostor messages before staff see them.
Practice with phishing drills. Regular fake‑phish tests teach everyone to slow down and spot oddities.

More Detail

What happened: Business Email Compromise (BEC) via phishing. Celebrity investor Barbara Corcoran’s company fell victim to a sophisticated phishing attack that impersonated her assistant’s email. The scammer altered the assistant’s email address by one letter (a barely noticeable change) and sent a convincing invoice to Corcoran’s bookkeeper, requesting a wire transfer for a real estate renovation. Believing the request was legitimate, the bookkeeper corresponded with the fake email and ultimately wired ~$380,000 to the attackers. The fraud was only discovered after the bookkeeper contacted the real assistant’s correct email with follow‑up questions, by which time the funds were gone. (Fortunately, the transfer was later frozen and reversed due to quick reporting, but most BEC victims are not so lucky.) The phishing email was highly tailored and professional, containing no obvious grammar mistakes, and even included a realistic invoice from a legitimate company. This social engineering attack exploited human trust and subtle email spoofing to bypass technical controls. Notably, the scam originated from overseas (traced to a Chinese IP address) and succeeded because the email’s minor spelling alteration went unnoticed.

St Margaret’s Health – Ransomware‑Forced Hospital Closure

Summary: A rural hospital never financially recovered after ransomware crippled its billing and medical‑record systems.

Mitigation Tips (plain‑English)

Split critical networks. Keep patient‑care devices separate from billing servers so an attack on one does not halt both.
Run incident‑response drills. Practicing restores and manual processes speeds recovery.
Share threat alerts. Industry groups such as the Health Information Sharing and Analysis Center (H‑ISAC) warn members quickly.

More Detail

St. Margaret’s Health – Ransomware Contributes to Closure (2023): It’s not just tech startups – even a small community hospital fell victim. St. Margaret’s Health, a healthcare organization in rural Illinois, permanently closed its doors in June 2023 and cited a 2021 ransomware attack as a major factor. That attack had crippled the hospital’s billing and electronic records for months, cutting off revenue streams. Even after systems were eventually restored, the financial damage was done. The hospital couldn’t recover lost income or the extra remediation costs, and combined with other pressures, it was forced to shut down entirely. Sadly, this case shows how a cyber attack can push an already struggling small enterprise over the brink into insolvency.

Weee! Online Grocery – Application Programming Interface (API) Data Breach

Summary: A forgotten API endpoint without login checks let a hacker download over one million customer order records.

Mitigation Tips (plain‑English)

Lock every API endpoint. Require proper tokens (OAuth 2.0) for all routes.
Throttle requests. Rate‑limiting stops mass downloads.
Pentest your APIs regularly. Tools like OWASP Zed Attack Proxy (ZAP) can uncover missing checks.

More Detail

Weee! – Startup Grocery Service Data Breach (2023): Even high‑flying startups aren’t immune. Weee! – a U.S. online grocery delivery startup for Asian and Hispanic foods – confirmed in February 2023 that it had been hacked, exposing about 1.1 million customer accounts. A hacker going by “IntelBroker” stole a year’s worth of order data and leaked it on a forum, claiming it covered 11 million orders. The leaked database included customers’ names, email and street addresses, phone numbers, and even delivery instructions (“leave package at door,” etc.). Fortunately, Weee did not store payment cards internally, so financial info wasn’t taken. Still, the breach meant over a million people’s contact details were circulating on the dark web. Weee had been valued at over $4 billion, yet this incident proved that growth and funding are no shield against breaches. The startup had to notify all affected customers, likely faced reputational damage, and now serves as a warning that fast‑growing tech companies must invest in security early.

Discord.io – Structured Query Language (SQL) Injection Data Leak

Summary: A hacker abused a Structured Query Language (SQL) injection bug in a statistics page to steal the entire user database—about 760,000 accounts—and the founders shut the service down rather than face lawsuits.

Mitigation Tips (plain‑English)

Use prepared database statements. These keep user input separate from the SQL commands—many web frameworks (called object–relational mapping, or ORM, libraries) do this for you automatically.
Test for bugs before launch. Automated scanners called static (SAST) and dynamic (DAST) tests try to find injections early.
Protect passwords and logins. Store passwords with a slow hashing recipe like bcrypt and let people add two‑factor authentication (2FA) for extra safety.

More Detail

Discord.io – User Data Hack Shuts Down Service (2023): Discord.io was a third‑party service that provided custom invite links and perks for Discord communities – essentially a small tech business built atop the popular chat platform. In August 2023, Discord.io was forced to cease operations entirely after a major data breach. Hackers accessed the service’s primary database and stole the personal info of about 760,000 users, then offered it for sale online. The compromised data likely included usernames, email addresses, and hashed passwords. Rather than attempt recovery, the Discord.io owners announced a total shutdown, presumably to avoid the avalanche of liability (numerous users could have claimed the startup hadn’t safeguarded data properly). In other words, the breach was so bad that the founders decided to fold the business rather than face potential lawsuits and an impossible rebuilding of trust. It’s an extreme case, but it shows that one breach can erase years of effort overnight for a small online service.

Young Consulting (Connexure) – BlackSuit Ransomware

Summary: Attackers exploited an outdated Virtual Private Network (VPN) appliance and unleashed ransomware that locked systems and exposed health‑insurance data for nearly one million people.

Mitigation Tips (plain‑English)

Patch internet‑facing devices fast. Vendors publish fixes—install them promptly.
Keep backup copies offline. Ransomware can’t touch disconnected backups.
Use endpoint threat‑hunting tools. Endpoint Detection and Response (EDR) software spots unusual behaviour early.

More Detail

Young Consulting (Connexure) – Insurance Tech Firm Breached (2024): In April 2024, Atlanta‑based software vendor Young Consulting (recently rebranded as “Connexure”) was hit by BlackSuit ransomware, which not only encrypted systems but stole the personal data of over 950,000 individuals. Victims included clients of major insurers (for example, Blue Shield of California), with leaked records exposing names, Social Security numbers, birthdates and medical claim info. When the small firm couldn’t afford the ransom, hackers dumped the data publicly – an extortion nightmare that led to breach notices for almost a million people and gravely damaged the company’s reputation. Despite investing in public relations and rebranding, Connexure faced customer exodus, cancelled contracts and steep recovery costs.

CloudNordic – Catastrophic Ransomware Wipe

Summary: During a data‑centre move, criminals encrypted every server and even the backups, leaving the hosting company and all of its customers with no data.

Mitigation Tips (plain‑English)

Keep a second, immutable backup. Use storage that attackers cannot change or delete.
Separate admin networks. Management consoles should use Multi‑Factor Authentication (MFA) and be isolated from customer traffic.
Monitor for strange admin activity. A Security Information and Event Management (SIEM) system can raise an alert when privileged accounts act out of character.

More Detail

CloudNordic – Hosting Provider Wiped Out (2023): A Danish cloud hosting company, CloudNordic, suffered a catastrophic ransomware attack in August 2023 that literally wiped out most of its customers’ data. Attackers infiltrated during a data center migration and managed to encrypt every server and even the backups – meaning websites, databases, and email systems for all clients were irretrievably scrambled. CloudNordic announced it had “lost access to all data” and lacked the funds to pay any ransom. With no data to restore, the provider was essentially paralyzed, leaving many small‑business customers dead in the water. This disastrous incident highlights how a single breach can destroy a company’s entire digital asset base if proper off‑site or segregated backups aren’t in place.

National Public Data – Credentials Leak and 2.9‑Billion‑Record Breach

Summary: A backup file left on the public website contained administrator passwords, giving attackers the keys to steal billions of identity records.

Mitigation Tips (plain‑English)

Store secrets safely. Use a dedicated vault so passwords never sit in plain text on a server.
Scan your public site. Regular automated scans spot files that should not be exposed.
Limit database powers. Even admin accounts should have strong, unique passwords and limited network access.

More Detail

National Public Data – a small US data broker service – suffered an enormous breach after it inadvertently exposed a sensitive file on its website. In late 2023, hackers scanning the site discovered a ZIP archive (“Members.zip”) sitting in a public web directory. Astonishingly, this file contained plaintext administrator usernames and passwords for NPD’s backend database, as well as some website source code. With these credentials, the attackers had the “keys to the kingdom” – they remotely logged into NPD’s database and stole 2.9 billion records of personal data (names, addresses, phone numbers, emails, Social Security numbers, etc.), affecting over 170 million individuals. The breach went undetected for months; by April 2024 the data was being sold on hacker forums, and NPD only publicly acknowledged the intrusion in August. Investigators believe the root cause was the exposed password archive on a sister site (RecordsCheck.net) – likely an oversight where a developer left a backup file accessible without authentication. The admin passwords were also weak/default in many cases, compounding the issue. This represents a classic configuration mistake that had dire consequences: essentially, NPD published its own admin passwords online, which attackers promptly abused. The company faced legal and financial ruin (multiple lawsuits and bankruptcy proceedings) after this massive leak.

KiranaPro – Cloud Account Takeover and Total Data Wipe

Summary: Attackers used unused admin credentials and reset the Multi‑Factor Authentication (MFA) on the root account, deleting all Amazon Web Services (AWS) servers and GitHub code.

Mitigation Tips (plain‑English)

Remove access the day someone leaves. Off‑boarding scripts can disable credentials automatically.
Secure admin logins with physical security keys. Hardware‑based MFA resists phishing and token theft.
Copy logs and backups to another account. That way even a root‑level attack cannot erase your evidence and last‑resort backups.

More Detail

KiranaPro Startup Cloud Breach – 2025: Attackers gained root access to the company’s Amazon Web Services (AWS) and GitHub accounts using a former employee’s credentials and wiped out the core codebase from GitHub. Essentially, the company’s entire product and customer data (names, addresses, payment info) vanished overnight. Evidence pointed to an unrevoked admin account from an ex‑employee as the entry point, possibly combined with stolen passwords or malware to defeat the original Multi‑Factor Authentication (MFA). The root cause was a failure to promptly remove access for departed employees and over‑reliance on a single high‑privilege account. With the AWS root account compromised, the team lost visibility of logs (since even audit trails were inaccessible or deleted), severely hampering incident response. KiranaPro, barely a few months old, was left non‑operational after the breach – a stark lesson on cloud security hygiene.

Be prepared. The Michigan SBDC and the resources linked below are here to help.

Resources for Small‑Business Cybersecurity

America’s Small Business Development Centers (SBDC) Cyber Guides
U.S. Small Business Administration Cybersecurity Portal
Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Stay Safe Online Best‑Practice Library

Joseph Gilby
Tech Team Consultant
Advanced information Systems