This week, a hacking group claimed it had stolen a trove of internal Nintendo data — employee names, email addresses, workplace survey responses, even private messages — and demanded a two-million-dollar ransom to keep it from being leaked. For a company as guarded and iconic as Nintendo, the headline alone is striking. But the most important detail for any small business owner is not the ransom or the famous name. It is where the data actually came from. Because Nintendo’s own systems, by their account, were never broken into at all.

Nintendo responded by confirming that the stolen information came from a third-party service it used to run internal employee surveys — not from Nintendo’s own network. The attackers did not breach the fortress. They walked in through a vendor the fortress trusted. And that single fact is the most useful cybersecurity lesson a small business can take from this whole episode, because you trust vendors with your data exactly the same way — probably more than you realize.

You’re only as secure as the companies you hand your data to

Every business today runs on other companies’ software. The platform that runs your payroll. The service that stores your customer list. The app that schedules your appointments, the tool that collects employee information, the cloud system that holds your files. Each one of those is a company you have handed a piece of your business to — and each one is holding your data on their systems, protected by their security, not yours. You can build the strongest walls in the world around your own office, and it will not matter if one of the vendors you trusted gets broken into. Their breach becomes your breach. Their stolen database is full of your people and your customers.

That is exactly what happened to Nintendo. They did the hard, expensive work of protecting their own house, and the attackers simply went around it — to a smaller, softer vendor that happened to be holding sensitive employee data. The attackers understood something most business owners overlook: you do not have to beat the strongest link, you just have to find the weakest one. And the weakest link is very often not the business itself, but one of the dozen outside services it quietly depends on.

The data you forgot you were handing over

The other quietly alarming detail in the Nintendo story is the kind of data that got exposed. Not credit card numbers or state secrets — employee survey responses. Workplace feedback. The candid, human stuff people share when they think it is private. It is exactly the category of information a business collects, hands to some helpful third-party tool, and then never thinks about again. Nobody pictures the anonymous employee survey from three years ago as a security risk. And yet there it was, in a criminal’s hands, being used as leverage.

Think about how much data your business has handed to outside services over the years and then forgotten. Old customer records in a platform you barely use anymore. Employee information in an HR or scheduling tool. Files in a cloud account someone set up years ago. Survey responses, application forms, payment details, email lists — scattered across a dozen services, each one a place your data is sitting on someone else’s computers. Most owners have never made a list of who holds their data, let alone asked whether those companies are keeping it safe or whether it should even still be there. That forgotten, scattered data is a quiet liability, and the Nintendo breach is a reminder that attackers are actively hunting for exactly these soft, overlooked stashes.

“We’re too small for this” is exactly backwards

It would be easy to read a story about Nintendo and a two-million-dollar ransom and conclude this is a big-company problem. It is the opposite. The vendors a small business relies on are often smaller and less defended than the ones a giant like Nintendo uses, and a small business is far less likely to have ever checked. The attackers running these schemes are not only chasing famous names — they go after the soft, data-rich targets wherever they find them, and a small business’s trusted-but-unwatched vendor is precisely that. The ransom might be smaller, but for a small business, the damage from exposed employee or customer data — the legal fallout, the lost trust, the cost of cleaning it up — can be far harder to absorb than it would be for a corporation.

Know who holds your data — before someone else does

You cannot personally guarantee the security of every company you do business with. But you can do the thing almost no small business has done: actually take stock. Know which outside services hold your data. Know what kind of information each one has. Know whether it still needs to be there, whether old accounts should be closed, and whether the truly sensitive material is in the hands of vendors you have any reason to trust. That awareness alone puts you ahead of the vast majority of small businesses, who have never mapped their own exposure and would have no idea where to even start looking if a vendor were breached tomorrow.

That is a core part of what our environment review does. We help you see the whole picture of your business’s digital footprint — including the outside services holding your data and where your real exposure lies — in plain language, with no jargon and no obligation. The honest question worth sitting with after the Nintendo news is simple: if one of the companies you have trusted with your data were breached this week, would you even know what they were holding? Most owners do not. Let’s make sure you are not one of them.

Sources: Cybernews; eSecurity Planet; Nintendo of America statement; VGC, June 2026.