What happened in the recent PeopleSoft breach, and why does it matter to small businesses?
In early 2025, the cybercrime group ShinyHunters targeted a vulnerability in Oracle’s PeopleSoft software, a platform used by more than 100 educational institutions and numerous businesses to manage HR, finance, and student records. Google’s Threat Intelligence Group confirmed the attack compromised sensitive data at dozens of colleges. The breach did not stop at higher education. Small healthcare practices, professional services firms, and manufacturers that rely on PeopleSoft or similar enterprise resource planning (ERP) systems face identical risks.
Here is the point that keeps compliance officers awake: if your PeopleSoft instance stores protected health information (PHI), student education records, or financial account data, you are subject to the same notification and safeguard requirements as a Fortune 500 company. A breach at a vendor or within your own environment triggers a cascade of deadlines, documentation demands, and potential fines. The size of your business does not reduce your liability.
The ShinyHunters attack exploited a known vulnerability. That means organizations that had not applied Oracle’s security patches were exposed. For SMBs, patch management often falls through the cracks. You may rely on a part-time IT person, an outsourced vendor who does not prioritize updates, or internal staff who lack the time to monitor every vendor advisory. The result is a compliance gap that auditors and regulators will scrutinize after a breach.
Which compliance regimes apply to SMBs running enterprise software like PeopleSoft?
If you process, store, or transmit regulated data, you are accountable under one or more of these frameworks, regardless of company size.
HIPAA (Health Insurance Portability and Accountability Act): Any healthcare provider, health plan, or business associate handling PHI must implement administrative, physical, and technical safeguards. HIPAA requires a risk analysis, written policies, encryption or equivalent controls, and breach notification within 60 days. Fines start at $100 per violation and can reach $1.5 million per violation category per year. A breach affecting 500 or more individuals requires public notification and reporting to the Department of Health and Human Services.
FERPA (Family Educational Rights and Privacy Act): Schools and educational service providers must protect student education records. While FERPA does not impose direct fines, a breach can result in loss of federal funding and state-level penalties. If you provide software or services to schools, you are a school official under FERPA and share liability.
FTC Safeguards Rule: Financial institutions (including mortgage brokers, accountants preparing tax returns, and professional services firms that arrange financing) must develop, implement, and maintain a written information security plan. The rule mandates encryption, multi-factor authentication, incident response planning, and annual risk assessments. Violations can result in FTC enforcement actions, fines, and mandatory compliance monitoring.
State Breach Notification Laws: All 50 states have breach notification statutes. Timelines vary, but most require notification within 30 to 45 days of discovering a breach. Some states impose fines per affected resident. California’s CCPA adds a private right of action, meaning individuals can sue for statutory damages of $100 to $750 per incident.
If your PeopleSoft system holds data covered by any of these regimes, you cannot outsource accountability. You can hire a managed service provider (MSP) to handle security, but the legal obligation remains with your organization.
What are the concrete compliance steps SMBs miss before a breach?
Most small businesses do not fail compliance because they ignore it. They fail because they treat it as a one-time checklist instead of an ongoing process. Here are the six gaps we see most often.
1. No documented risk analysis: HIPAA, FTC Safeguards, and most state laws require a written assessment of where regulated data lives, who can access it, and what threats exist. This is not a vendor questionnaire. It is a line-by-line inventory of systems, databases, and access controls. Without it, you cannot demonstrate reasonable safeguards.
2. Missing or outdated vendor agreements: If a third party (including Oracle, your MSP, or a payroll provider) can access your regulated data, you need a business associate agreement (BAA) under HIPAA or equivalent contract under other regimes. The contract must specify data handling, breach notification, and liability. Many SMBs sign a vendor’s standard terms without negotiating security provisions or confirming the vendor will notify you of a breach within your own notification window.
3. Patch management left to chance: Oracle and other ERP vendors release security patches monthly. If you do not have a process to test and deploy patches within 30 days, you are operating with known vulnerabilities. Auditors and plaintiffs’ attorneys will ask for patch logs. If you cannot produce them, you will struggle to prove you met the reasonable-safeguards standard.
4. No breach response plan: HIPAA and FTC Safeguards require a written incident response plan. The plan must define who investigates a suspected breach, how you preserve evidence, when you notify regulators and affected individuals, and who communicates with customers and the media. After a breach, you have days (not weeks) to make these decisions. Without a plan, you will miss deadlines and compound your liability.
5. Inadequate access controls and logging: Compliance frameworks require role-based access and audit logs. If every employee can open your ERP database or you cannot produce logs showing who accessed a breached record, regulators will presume negligence. Multi-factor authentication (MFA) and single sign-on (SSO) are no longer optional. They are baseline expectations.
6. No regular security awareness training: Phishing remains the top initial access vector. HIPAA and FTC Safeguards require periodic training. If an employee clicks a malicious link and ShinyHunters (or another group) gains access to your PeopleSoft instance, regulators will ask for training records. No records equals no defense.
How much does non-compliance actually cost an SMB?
Let’s put numbers to it. A breach affecting 1,000 records typically costs an SMB between $50,000 and $200,000 in forensics, legal fees, notification, credit monitoring, and lost productivity. If you missed a compliance requirement, add regulatory fines and settlement costs.
HIPAA fines depend on the violation tier. Unknowing violations start at $100 per record. Willful neglect (which includes failing to implement required safeguards) starts at $50,000 per violation. A breach affecting 1,000 patients due to missing encryption or inadequate access controls can trigger fines in the hundreds of thousands of dollars.
State attorneys general are increasingly aggressive. In 2023, New York fined a medical practice $450,000 for a breach affecting 135,000 individuals because the practice had no risk analysis, no encryption, and no BAA with a cloud vendor. The breach itself cost the practice $1.2 million. The fine was the smaller piece.
FTC enforcement actions often include mandatory third-party security audits for 20 years. That means paying an external firm to review your controls annually and report findings to the FTC. The cost is typically $25,000 to $75,000 per year.
Cyber insurance helps, but policies exclude losses from known vulnerabilities and unpatched systems. If Oracle released a patch six months before your breach and you had not applied it, your insurer may deny the claim. Even if coverage applies, premiums will increase 30% to 50% at renewal, and you may face a new requirement for MFA, endpoint detection, or a formal security program.
Do I need a formal compliance program if I’m a 20-person professional services firm?
Yes, if you handle regulated data. The law does not carve out small businesses. A 20-person accounting firm processing tax returns falls under FTC Safeguards. A 15-person physical therapy clinic falls under HIPAA. A 30-person HR consultancy with access to client employee records falls under state breach notification laws and, depending on the contract, HIPAA or FERPA.
A formal compliance program does not mean hiring a full-time compliance officer. It means documenting your controls, assigning accountability, and maintaining evidence that you are meeting regulatory requirements. Here is what that looks like in practice.
Annual risk analysis: Spend four to eight hours per year (or hire an MSP to do it) cataloging where regulated data lives, how it is protected, and what risks exist. Update the analysis when you adopt new software or change vendors.
Written policies: Create (or adopt templates for) an information security policy, acceptable use policy, incident response plan, and breach notification procedure. These do not need to be 100-page manuals. A 10-page policy set that your team actually reads is better than a binder that sits on a shelf.
Vendor management: Maintain a spreadsheet of every vendor that can access regulated data. Confirm you have a signed BAA or data processing agreement. Review vendor security annually (many vendors publish SOC 2 reports or security questionnaires).
Patch and vulnerability management: Subscribe to security advisories from your ERP vendor, operating system provider, and any SaaS platforms. Assign someone to review advisories monthly and deploy critical patches within 30 days. Document what was patched and when.
Access review: Quarterly, review who has access to your ERP, file shares, and databases. Remove former employees and contractors immediately. Limit administrative privileges to those who need them.
Training: Conduct security awareness training at onboarding and annually. Document attendance. Use real-world examples (like the PeopleSoft breach) to show why clicking a link or reusing passwords matters.
This work fits into 10 to 15 hours per quarter for a small firm. If you lack internal expertise, a compliance-focused MSP can handle most of it for $1,500 to $3,000 per month, far less than the cost of a single breach.
What should I do right now if I run PeopleSoft or a similar ERP system?
Start with these five actions. Each takes less than an hour.
1. Confirm your current patch level: Log in to your PeopleSoft admin console (or ask your IT provider) and check the installed patch level against Oracle’s latest Critical Patch Update. If you are more than one quarter behind, schedule patching immediately.
2. Review your vendor contract: Pull your Oracle license agreement and any agreements with implementation or hosting partners. Confirm you have a BAA (if you store PHI) or equivalent data protection addendum. If not, request one in writing.
3. Test your backup and recovery process: Verify you have offline backups of your PeopleSoft database and that you can restore them. Ransomware groups often target ERP systems. If you cannot recover, you will face downtime, data loss, and potential ransom payment.
4. Enable MFA: If your PeopleSoft instance does not require multi-factor authentication for administrative access, enable it today. Most breaches begin with compromised credentials.
5. Document your current controls: Spend 30 minutes listing what security measures you have in place: firewalls, encryption, access controls, logging, training. This is the start of your risk analysis and your evidence that you met the reasonable-safeguards standard.
If you discover gaps, do not panic. Regulators and auditors recognize that security is a process. What they penalize is negligence: knowing a risk exists and doing nothing. Documenting your current state and creating a remediation plan demonstrates good faith.
How does working with a compliance-focused MSP reduce risk?
Most SMBs do not need a full-time Chief Information Security Officer. They need a partner who understands both the technology and the regulatory requirements. A compliance-focused MSP brings three things that break-fix IT providers typically do not.
Regulatory expertise: MSPs that specialize in HIPAA, FTC Safeguards, and state breach laws know what auditors ask for. They help you build documentation that satisfies regulators, not just checkbox security.
Proactive monitoring and patching: Instead of waiting for you to notice a vulnerability, the MSP monitors vendor advisories, tests patches in a staging environment, and deploys them during maintenance windows. This keeps you off the list of known-vulnerable targets.
Incident response and breach support: If a breach occurs, you need forensics, legal counsel, notification services, and regulatory filings within days. An experienced MSP coordinates the response, preserves evidence, and helps you meet notification deadlines. They also work with your cyber insurer to document the incident and support your claim.
The cost is predictable. Most compliance-focused MSPs charge a flat monthly fee that includes risk analysis, policy updates, patch management, and ongoing monitoring. Compare that to the cost of a breach (six figures) or the cost of hiring an internal IT manager (six figures annually), and the ROI is clear.
What happens if I ignore compliance until after a breach?
You will face three cascading problems: regulatory penalties, legal liability, and reputational damage.
Regulatory penalties: If you cannot produce a risk analysis, patch logs, training records, or vendor agreements, regulators will presume you were negligent. That moves you from the lowest fine tier to the highest. It also makes settlement harder. Regulators want to see that you have fixed the gaps. If you have no compliance program, they will require a consent order with ongoing monitoring and audits.
Legal liability: Affected individuals can sue under state consumer protection laws and (in some states) breach notification statutes. Class actions are expensive to defend even if you win. Your cyber insurance may cover defense costs but not settlements if the breach resulted from gross negligence.
Reputational damage: Clients and customers expect you to protect their data. A breach that exposes gaps in your security program erodes trust. Professional services firms lose clients. Manufacturers lose contracts. The cost is hard to quantify but often exceeds the direct breach expense.
On the other hand, if you can demonstrate you had a compliance program, applied patches promptly, and followed your incident response plan, you shift the narrative. You move from negligent to victim. That matters in settlement negotiations, insurance claims, and customer retention.
Where can I learn more about compliance requirements for my industry?
Compliance is not one-size-fits-all. The specific requirements depend on the data you handle and the states where you operate. Here are the authoritative sources for each major regime.
HIPAA: The Department of Health and Human Services Office for Civil Rights publishes guidance, audit protocols, and breach notification requirements at hhs.gov/ocr. Their Security Rule checklist is a practical starting point for small providers.
FTC Safeguards Rule: The Federal Trade Commission’s Safeguards Rule page includes the full text of the rule, FAQs, and a small business compliance guide. It is written for non-technical business owners.
State breach notification laws: The National Conference of State Legislatures maintains a summary of all 50 state breach laws at ncsl.org. Your legal counsel can help you determine which states’ laws apply based on where your customers or employees reside.
CMMC (Cybersecurity Maturity Model Certification): If you are a manufacturing or professional services firm in the defense supply chain, you will need CMMC certification to bid on contracts. The Department of Defense’s CMMC Accreditation Body (cyberab.org) publishes assessment guides and requirements by level.
For SMBs that serve multiple industries or operate in multiple states, the safest approach is to adopt the most stringent standard that applies to any of your data. That way, you build one compliance program instead of juggling multiple frameworks.
Frequently Asked Questions
Does cyber insurance cover fines and penalties from a compliance failure?
Most cyber insurance policies exclude fines and penalties imposed by regulators. Coverage typically includes breach response costs (forensics, notification, credit monitoring, legal defense) and sometimes settlements or judgments from private lawsuits. Regulatory fines are considered uninsurable in many states because covering them would reduce the deterrent effect. Always review your policy’s exclusions and consider a separate errors and omissions or professional liability policy if you handle regulated data.
How long does it take to build a compliance program from scratch?
For a small business with 10 to 50 employees, you can complete a baseline compliance program in four to six weeks. That includes a risk analysis, policy documentation, vendor inventory, and initial training. Ongoing maintenance requires about 10 hours per quarter. If you work with an MSP, they can accelerate the timeline and handle most of the documentation for you. The key is starting now, because you cannot retroactively create a compliance program after a breach.
What is the difference between a business associate agreement and a data processing agreement?
A business associate agreement (BAA) is specific to HIPAA. It governs how a vendor or service provider handles protected health information on your behalf. A data processing agreement (DPA) is a broader term used in other privacy frameworks (like GDPR and CCPA) to define how a vendor processes personal data. If you handle PHI, you need a BAA. If you handle other personal information, a DPA may suffice. In practice, many vendors now use a combined agreement that satisfies both requirements.
Can I use a compliance checklist template I found online?
Templates are a good starting point, but they must be customized to your environment. A generic HIPAA checklist will not account for your specific ERP system, cloud vendors, or state laws. Use templates to understand what controls are required, then document how you implement each control in your business. An MSP or compliance consultant can help you adapt templates to your situation and ensure nothing is overlooked.
What should I do if I discover my vendor had a breach but did not notify me?
Contact the vendor immediately in writing and request details: what data was accessed, when the breach occurred, and why you were not notified. Review your contract to confirm whether the vendor was required to notify you within a specific timeframe. If the vendor’s delay caused you to miss your own notification deadline, you may have a claim for indemnification. Notify your cyber insurer and legal counsel, and begin your own breach response process even if the vendor downplays the incident. Under most compliance regimes, you (not the vendor) are responsible for notifying affected individuals.
Keep reading
- compliance and regulatory exposure
- professional services compliance
- explore our compliance solutions
Sources
Source: Colleges hit in cyberattack by group behind Canvas breach, Google says | Higher Ed Dive