The Amtrak Breach Shows Just How Dangerous a Hacked CRM Can Be

Amtrak just learned what most businesses don't realize until it's too late: when your CRM gets breached, you're not just exposing customer names. You're exposing everything.

NSI Tech

If you run a business, you’ve probably heard “data breach” and pictured some teenage hacker in a hoodie cracking into a database somewhere. Neat image. Not accurate.

The real breach story in April 2026 is Amtrak. Attackers walked out with up to 9.4 million customer records — names, emails, travel history, maybe more. And the entry point? Their CRM. Salesforce, specifically.

This Isn’t Just an Amtrak Problem

Amtrak is a household name. Most small and mid-size businesses assume they’re not interesting enough to target. Wrong. CRMs hold:

  • Every lead you’ve ever captured
  • Every customer contact and purchase history
  • Notes your sales team makes about prospects
  • Internal pricing, deal structures, discounts

That’s phishing gold. That’s identity theft material. That’s competitive intelligence if a competitor got curious.

And most SMBs have zero visibility into who’s accessing that data, whether their integrations are hardened, or whether their third-party plugins are creating back doors.

The Cost Isn’t Just Notification Letters

When Amtrak’s breach broke, the headlines focused on the 9.4 million records. What they didn’t lead with: Amtrak agreed to a $117.5 million settlement with Comcast that same week over a separate 2023 breach. These things add up. Regulatory fines. Legal fees. Customer churn when trust breaks. For a small business, one bad breach can be existential.

What Most Businesses Skip

The gaps that cause breaches like this usually come down to three things:

  1. Too many integrations, not enough oversight. That Salesforce-to-Markdown-to-Zapier-to-whatever pipeline your team set up? Nobody’s auditing it.
  2. Default permissions that never got locked down. CRM platforms are generous by default. Your data doesn’t need to be.
  3. No alerts on unusual API access. The Amtrak breach started through the CRM. Most businesses wouldn’t notice someone pulling bulk exports at 2am until the damage was done.

You Don’t Have to Guess

If you’re running Salesforce — or any CRM — and you haven’t had someone look at your access controls, integrations, and audit logs recently, that’s a gap. Not a drama. Just a gap.

We can close it.

Talk to NSI Tech →

Need help with any of this? NSI Tech has you covered.

Talk to us