Amtrak Breach Exposed Millions of Records. Is Your CRM the Next Target?

A Salesforce-related breach at Amtrak compromised millions of customer records. If you're running a CRM without proper security oversight, you might be next.

NSI Tech

A Salesforce-related breach at Amtrak exposed millions of customer records this month. The attack wasn’t some sophisticated, once-in-a-lifetime hack — it exploited a CRM system that many businesses run without thinking twice about.

That’s the real problem.

Most Businesses Treat Their CRM Like Furniture

They sign up, configure a few fields, add users, and move on. Security is an afterthought — if it’s considered at all.

But CRMs hold your customers’ data. Contact info, purchase history, internal notes. All of it.

If your CRM is exposed — through misconfiguration, weak access controls, or unpatched integrations — you’re one breach away from the same headlines Amtrak is dealing with right now.

What Made Amtrak Vulnerable

Based on what experts are piecing together, the Amtrak breach wasn’t caused by a flaw in Salesforce itself. It was the integrations, customizations, and third-party tools connected to it. That’s where most CRM security failures happen.

Common weak points:

  • Overpermissioned user accounts
  • Unsecured API connections to other tools
  • Outdated or unsupported integrations
  • No monitoring on privileged access

Sound familiar? These aren’t exotic problems. They’re everyday oversights that most SMBs have no idea they’re sitting on.

You Don’t Have to Be a Target

You don’t need a massive IT budget to lock this down. Basic CRM hygiene would have prevented most of what we’re seeing in these breaches:

Principle of least privilege — only give users the access they actually need, nothing more.

Review integrations quarterly — every connected app is a potential entry point. If you don’t use it, disconnect it.

Monitor for anomalies — unusual data exports or login spikes from odd locations are warning signs most businesses miss entirely.

Treat your CRM like infrastructure — it needs patching, monitoring, and someone who actually owns its security posture.

The Real Cost of Getting This Wrong

Amtrak is facing regulatory heat, customer trust damage, and a cleanup bill that will run for months. For a small business, a breach like this can be existentially threatening — not just costly.

If you’re running Salesforce, Dynamics, or any CRM with sensitive data, now is the time to review your setup. Not after a breach. Before.

Book a free security review → We’ll assess your CRM and managed IT environment and tell you exactly where you’re exposed — no obligation.

Need help with any of this? NSI Tech has you covered.

Talk to us