How one password destroyed a 158-year-old business
Attackers will exploit your weakest link (here's how to stop it)
A single password.
That’s all it took to destroy a 158-year-old business.
A company that survived world wars, depressions, and recessions. But it couldn’t survive the digital risks that every business, whether small or large, faces today.
Earlier this year, KNP, a UK transport firm, was hit by a ransomware attack. Hackers are believed to have guessed one employee’s password. That was enough to get inside, lock up the company’s systems, and demand millions for their release.
KNP couldn’t pay. They lost all their data, shut down, and 700 people lost their jobs.
KNP had insurance, certifications, and IT systems that “met industry standards.” But here’s the uncomfortable truth:
most small businesses don’t have that kind of budget or infrastructure. And even if you do, none of it matters if one password is weak.
How Password Attacks Happen
You don’t need to be a cybersecurity expert to understand this. Here are the three common methods:
Credential stuffing: Hackers take stolen username/password pairs from other breaches and try them on your systems. Works if employees reuse passwords.
Brute force attacks: Automated tools try millions of common passwords until one works.
Phishing: An employee clicks a fake email, unknowingly giving up their login details.
Once inside, attackers look for ways to escalate their access. They especially want to find administrator accounts. If they get there, it’s game over.
It’s Not Just KNP
In 2021, Colonial Pipeline, a major U.S. fuel supplier, suffered a breach that led to fuel shortages across the East Coast. The root cause? A single compromised VPN password for an unused account.
No sophisticated malware. Just an open door.
You don’t need to run a nationwide pipeline to be at risk. In fact, small firms are often more attractive targets because they don’t have big security teams. For attackers, that means an easier payday.
And who can forget the theft of personal DNA data and related info from 23andMe? Or the credential stuffing attack against Roku. We covered both in prior posts. Here’s the one on Roku’s incident.
The Hidden Costs Small Businesses Often Underestimate
A password breach doesn’t just mean paying a ransom (if you choose to). The real cost stack looks like this:
Immediate losses: Ransom demand, legal fees, and technical recovery costs.
Operational downtime: Lost sales, missed deliveries, disrupted services.
Reputation damage: Clients and customers lose trust — and may never return.
Lost opportunities: You may not get that next contract, loan, or referral once word spreads.
For KNP, the total was business-ending. For smaller firms, it can be even worse because there’s no financial cushion to absorb the hit.
Where Password Policies Fail in Practice
Even if you’re a solo operator or run a team of five, the same mistakes show up again and again:
Executives or long-time staff are exempt from password rules.
Passwords are shared over email, chat, or spreadsheets.
MFA is rolled out to most accounts but not all.
Default credentials on vendor-supplied systems are never changed.
Attackers thrive on these gaps because they only need to find one.
Quick Wins You Can Deploy Today
You can’t rebuild a security culture overnight, but you can raise the bar fast. Here’s how:
Enforce MFA on every account — no exceptions for you, your staff, or your vendors.
Reset all high-privilege account passwords and store them in a password manager.
Audit inactive accounts and disable anything unused.
Hold vendors and contractors to the same standard. If they’re logging into your systems, make sure they’re using MFA too.
Use hardware security keys for critical accounts. Keys like YubiKey or SoloKey make phishing nearly impossible and are one of the highest ROI upgrades you can make.
Make yourself a harder target
Before attackers do it for you, find out what they can learn about you and your team online. Our guide How Exposed Are You Online walks you through the same OSINT techniques attackers use, and how to close those gaps.
LinkedIn is another overlooked attack surface. Hackers use it to profile executives, craft convincing phishing emails, and map your company’s structure. The LinkedIn Privacy Tune-Up shows you how to lock down your profile without disappearing from the platform (link gets you 25% off).
The leadership takeaway
Cybersecurity isn’t about building a fortress. Rather, it’s about plugging the small gaps that can sink your business overnight.
For a small firm or solo operator, one password mistake can be the difference between staying open and shutting your doors for good.
How many weak links are in your business right now?
Friendly Ask
If you know someone who owns or manages a business, please share this post to help them protect their business.
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.
AI scams are here and getting more sophisticated. One of the best things you can do to protect yourself is to remove your personal information from Google and the data broker sites. That starves the scammers of vital information, making you a much harder target. You can DIY, or pay a reasonable fee to DeleteMe to do it for you. Sign up today and get 20% off using our affiliate link here. We’ve used DeleteMe for almost five years and love it for the peace of mind. It’s also a huge time saver and an instant privacy win.
Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.
Check out our specialized privacy and security guides in our digital shop. Below is a sample of what’s available. People are really loving the De-Google your Life Guide (available here at 25% off). Browse all the guides here.
If you’re reading this but haven’t yet signed up, join for free (2.8K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇
Waiting for the day that companies offer benefits such as delete me or dark web monitoring. It helps both the employer and the employee. Win/win scenario.
Truly sad to see the impact of even the smallest mistakes.