Amtrak Just Had 9.4 Million Customer Records Stolen — Through Its CRM

A cyberattack on Amtrak's Salesforce CRM exposed up to 9.4 million records. If your business runs on a CRM, this story should keep you up tonight.

NSI Tech

Two weeks ago, Amtrak confirmed what no business owner wants to hear: hackers walked out with sensitive data on up to 9.4 million customers. The entry point? Their CRM — specifically, a Salesforce-related system. This wasn’t some sophisticated zero-day attack. It was a supply chain exploit through the tools your business probably runs on too.

The numbers are staggering. Names, contact details, maybe payment info — depending on what fields your CRM touches, that’s what the attackers got. Amtrak is now navigating regulatory scrutiny, customer notification requirements, and a reputation hit that no PR firm can spin away.

But here’s what should actually keep you up at night: this wasn’t a one-off. AI-enabled cyberattacks are up 89% year-over-year. Threat actors are using AI to speed up reconnaissance, generate polymorphic malware, and automate attacks at scale. The window between “someone thinks up an attack” and “that attack is deployed” has collapsed from weeks to hours.

Why Your CRM Is a Gold Mine

Your CRM doesn’t just hold contacts. It holds the full picture of who your customers are — purchase history, support tickets, internal notes, sometimes financial data. For an attacker, that’s not a database. That’s a jackpot.

And most SMBs treat CRM security as an afterthought. Default permissions. Shared login credentials. No multi-factor authentication on integrations. The CRM is “just software” — until it isn’t.

What You Can Do Right Now

Three things, this week:

  1. Audit what’s actually in your CRM. If you don’t need a field, delete it. Less data exposed means less damage if (when) something goes wrong.
  2. Lock down integrations. Third-party apps connected to your CRM are the modern supply chain. Each one is a potential entry point.
  3. Enable MFA everywhere, including API access. Not just the login screen — the back door too.

NSI Tech specializes in Salesforce Development, CRM security hardening, and managed IT for businesses that can’t afford to be the next headline. We make sure your tools work for you — not for the people trying to get inside them.

If you’re not sure where your CRM stands, let’s run an audit together.

→ Talk to NSI Tech about your security posture

Need help with any of this? NSI Tech has you covered.

Talk to us