Hallmark Breach Exposes 1.7M Customer Records via Compromised Salesforce Tenant
What Happened — In March 2026 attackers gained unauthorized access to Hallmark’s Salesforce environment and exfiltrated personal data for 1,736,520 accounts. The stolen data—email addresses, names, phone numbers, physical addresses, and support‑ticket contents—was published after an extortion deadline elapsed.
Why It Matters for TPRM —
- SaaS platforms such as Salesforce can become a single point of failure for vendors, expanding the attack surface beyond the primary organization.
- Exposure of personally identifiable information (PII) creates downstream liability for partners that share or process the data.
- Breach may trigger regulatory notifications, contractual penalties, and reputational damage that affect third‑party risk assessments.
Who Is Affected — Retail and consumer‑facing services (Hallmark greeting‑card business and Hallmark+ streaming service) that rely on a CRM provider.
Recommended Actions — Review Hallmark’s third‑party SaaS security controls, validate Salesforce access management (least‑privilege, MFA, IP restrictions), conduct a supply‑chain risk assessment for any downstream data processors, and update incident‑response playbooks to include SaaS‑provider compromise scenarios.
Technical Notes — The attack vector appears to be a compromise of Hallmark’s Salesforce tenant, likely via stolen credentials or mis‑configuration. No public CVE is associated. Data types leaked include email, full name, phone, physical address, and support‑ticket content. Source: Hallmark breach – Have I Been Pwned