Berkadia Exposes 305K PII Records After Salesforce Credential Compromise
What Happened — In March 2026 ShinyHunters launched a “pay‑or‑leak” extortion campaign against commercial real‑estate finance firm Berkadia. The group later published data they said was extracted from Berkadia’s Salesforce instance, revealing more than 305,000 unique email addresses plus names, physical addresses, phone numbers and employer information.
Why It Matters for Compliance & Audit Readiness
- The breach is a textbook example of a failure to enforce SOC 2 access‑control criteria for the Security principle – privileged SaaS accounts were not sufficiently protected.
- Continuous monitoring of credential usage and periodic review of SaaS permission sets provide the audit evidence needed to demonstrate due diligence.
- Mapping this incident to your SOC 2 controls helps close gaps before auditors or regulators raise the same issue.
Who Is Affected — Commercial‑real‑estate finance firms, and any organization that stores PII in Salesforce or similar SaaS CRM platforms.
Recommended Actions
- Conduct an immediate review of all Salesforce admin and user permissions; enforce MFA for every privileged account.
- Deploy continuous credential‑monitoring and log‑analysis to flag anomalous access patterns.
- Update SOC 2 access‑control policies, capture evidence of permission reviews, and retain it for audit purposes. Source: HIBP Breach Detail
Technical Notes
- Attack vector: stolen credentials (likely via phishing or credential reuse).
- Data types exposed: email addresses, names, physical addresses, phone numbers, employer information. Source: HIBP Breach Detail