TL;DR

This week saw Nike confirm a 1.4 TB data theft by the WorldLeaks cybercrime group, while Canada Life disclosed a breach affecting 70,000 customers via a compromised employee account. These incidents share a common thread: attackers exploited identity and vendor gaps that most small businesses still ignore. Fix three things this weekend — MFA on every admin account, supplier access reviews, and offline backups — and you avoid becoming next week's headline.

This Week's Major Incidents

1. Nike — 1.4 TB of Supply Chain and Design Data Stolen

What happened: The cybercrime group WorldLeaks claimed responsibility for stealing approximately 1.4 TB of internal data from Nike, comprising over 188,000 files related to product design, manufacturing processes, supply chain logistics, and operational information. Nike confirmed it is investigating a potential security incident after the group publicly threatened to leak the data.

How bad was it: Critical. This is not just customer PII — it is intellectual property, vendor pricing, factory specifications, and multi-year product roadmaps. For a business of Nike's scale, the competitive damage and potential supply chain disruption easily reach eight figures. For a smaller manufacturer or retailer, losing equivalent proprietary data to a competitor or ransomware group is often an extinction-level event.

How it could have been prevented: File theft at this volume suggests either long-undetected lateral movement inside the network or compromised credentials with broad file-share access. Prevention requires:

  • Principle of least privilege on file shares and design repositories
  • Data Loss Prevention (DLP) monitoring bulk file exfiltration
  • Network segmentation separating design systems from general corporate IT
  • Privileged Access Management (PAM) with session recording for high-value data stores

Your weekend action item: Audit your file server and cloud storage admin permissions. Remove "everyone" or "domain users" access from sensitive folders. Enable DLP alerts on SharePoint, Google Drive, or your NAS for bulk downloads.

2. Canada Life — 70,000 Customer Records Exposed via Compromised Employee Account

What happened: In April 2026, Canada Life disclosed that attackers accessed personal information of approximately 70,000 individuals after compromising a single employee account. The ShinyHunters threat actor group was linked to the breach. Exposed data included names, dates of birth, addresses, gender, and income details — a full identity-theft kit.

How bad was it: Severe. A compromised employee account is the most common initial access vector for SMBs, yet it is also the most preventable. For a financial services firm, the regulatory fines (PIPEDA in Canada, equivalent to GDPR penalties in structure) plus customer churn and credit monitoring costs can run into millions.

How it could have been prevented: The breach started with one compromised identity. Stopping it requires:

  • Phishing-resistant MFA (FIDO2/WebAuthn hardware keys or passkeys) on all remote-access and email accounts, not just SMS
  • Conditional access policies that block logins from unexpected geographies or devices
  • Endpoint Detection and Response (EDR) to catch credential theft and unusual data access patterns
  • Regular access reviews to ensure terminated or transferred employees lose access immediately

Your weekend action item: Enable MFA on every business-critical account today — email, CRM, accounting software, and remote desktop. If any account still uses SMS-only, upgrade it to an authenticator app or hardware key. Review active users in your Microsoft 365 or Google Workspace admin panel and deactivate stale accounts.

3. J Grennan & Sons — Agri-Trading Firm Hit by Akira Ransomware

What happened: Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group. The attackers claimed to have exfiltrated over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information, and in some cases bank IBANs. The company confirmed significant operational disruption and engaged external incident responders.

How bad was it: Devastating for a mid-sized agribusiness. Akira operates a double-extortion model: encrypt systems and threaten to leak stolen data. Operational downtime in agriculture trading during peak season means rotting inventory, broken contracts, and cash-flow collapse. The 20-million-record data exposure also triggers GDPR liability for any EU-linked entity.

How it could have been prevented: Akira typically gains entry via unpatched VPN appliances, stolen credentials sold on dark-web markets, or phishing. Defenses include:

  • Patching internet-facing VPN and firewall firmware within 48 hours of advisory release
  • No direct RDP or VPN access without MFA and IP allowlisting
  • Immutable offline backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite/air-gapped)
  • Network segmentation between IT and operational technology (OT) systems

Your weekend action item: Test your backups. Actually restore a file from your cloud backup and from your local backup. If you cannot restore in under an hour, you do not have a backup — you have a prayer. Move one full backup copy to an offline or immutable destination.

What Your Business Should Do Differently This Week

Most SMB owners treat cybersecurity like insurance: set it once and hope for the best. This week's breaches prove that approach is fatal. Here is a 48-hour action checklist:

  • Identity Lockdown: Enable MFA on every admin and finance account. Remove legacy protocols (IMAP/POP without MFA, basic auth).
  • Vendor Hygiene: List every third-party supplier with access to your data. Email them asking for their incident response contact and last penetration test date. Drop vendors who cannot answer.
  • Backup Integrity: Restore one critical file from each backup tier. Verify immutability on cloud backups (ransomware cannot encrypt what it cannot modify).
  • Phishing Drill: Send a fake phishing email to your team using a free tool. Anyone who clicks gets 10 minutes of training, not punishment.
  • Incident Response Card: Write one page with "If we get ransomware, call [number], disconnect [device], and do NOT touch [system]." Print it and tape it to the router.

FAQ

Q: We are too small for hackers to target — does this really apply to us?

A: Yes. Ransomware is automated and scalable. ShinyHunters and Akira do not hand-pick Fortune 500 targets; they scan the internet for unpatched VPNs and leaked credentials. A 20-person business with a $50,000 annual revenue is just as likely to be encrypted as a global brand — and far less likely to survive the downtime.

Q: We already have antivirus. Is that enough?

A: No. Traditional antivirus catches known malware signatures. Modern attackers use "living off the land" techniques — legitimate tools like PowerShell and remote management software — that antivirus ignores. You need EDR, MFA, network segmentation, and backup immutability layered together.

Q: How much does it cost to fix after a ransomware attack?

A: The average ransomware recovery cost for SMBs in 2026 is approximately $1.85 million, including downtime, data recovery, legal fees, and reputation damage. The ransom demand itself is often only 10-20% of the total cost. Prevention is orders of magnitude cheaper.

Q: Should we pay the ransom if we are hit?

A: Law enforcement and cybersecurity agencies universally advise against paying. Payment does not guarantee decryption key delivery, funds further criminal activity, and may expose you to sanctions liability. Build immutable backups and rehearse recovery instead.

Conclusion

This week's digest is a warning, not entertainment. Nike, Canada Life, and J Grennan & Sons all suffered breaches that started with basic identity, access, or vendor controls failing. The difference between a headline and a near-miss is rarely a million-dollar security appliance — it is MFA, patching, backups, and segmentation applied consistently.

Your weekend action items are concrete: enable MFA everywhere, test your backups, and review supplier access. If you need help prioritizing, visit consult.lil.business for a free cybersecurity assessment tailored to your business size and risk profile.

References

  1. Nike Probing Potential Security Incident as Hackers Threaten to Leak Data — SecurityWeek
  2. Hackers Accessed Personal Information of 70,000 People in Canada Life Data Breach — The Globe and Mail
  3. J Grennan & Sons Advises Customers It Was Victim of Cyber Attack — Agriland
  4. The State of Ransomware 2026 — BlackFog
  5. ACSC Essential Eight Maturity Model — Australian Cyber Security Centre

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage